Cyconet Blog » Postfix

bit nagios-plugin bugsquashing, stalling policyd-weight and my first perl module package

cyco — Mon, 10 Mar 2008 18:18:57 +0000

Last week I did again some work on nagios-plugins. After the announcement of Dann Frazier to upload NMU to fix a trivial bug, I thought it’s time again to give some extra care to the package. So I prepared 1.4.11-2 fixing the important bugs and uploaded it. I also commited some minor fixes to the svn, so these issues will get fixed by the next upload.

Since the development of policyd-weigh stalled and unfortunately maybe get stuck, I was looking for an alternative, which maybe found with postfwd. It’s quite flexible but it also will take more time (and care!) to get a reliable configuration, which maybe effective as policyd-weight (still) is right now. While checking the dependencies for postfwd I noticed that Net::DNS::Async isn’t available in Debian (yet). So I decided to create a package starting with dh-make-perl, join the Debian Perl Group and let it review. Damyan Ivanov was so kind to review and upload it, Gregor Herrmann did also give some much useful hints. Thanks to both!

And yes, I also found time to step forward with NM, since I was overloaded the last weeks with usual work and life. Thank to my AM to be so appreciative.

Conditional greylisting (with postfix, policyd-weight and postgrey)

cyco — Fri, 03 Aug 2007 08:02:46 +0000

In case you think that greylisting might have some disadvantages but give you also some benefits, you probably have thought about to use greylisting with some conditions. For example if you checked some parameters of the mail and you (or better your mailsystem) guess it may be spam, greylisting could be very usefull.
Until now, I was using plain policyd-weight. But mails with $REJECTLEVEL <= score <= $DEFER_LEVEL where in some conditions defered (see policyd-weight default) and if they come back with the same conditions, they will be defered twice. So it makes sence to me to greylist them and if they return within $DEFER_LEVEL, they will pass cause the greylist will allow them.
At first let’s create a restriction class which we can call from policyd-weight within main.cf of postfix:

# restriction class for use with polw (DEFER_ACTION)
smtpd_restriction_classes = greylist
greylist = check_policy_service inet:127.0.0.1:60000

To call postgrey for $REJECTLEVEL <= score <= $DEFER_LEVEL you need to make use of the restriction class “greylist” and let $DEFER_STRING match all defer strings, to get them all greylisted:

# echo “\$DEFER_STRING = ‘NOT’;” >> /etc/policyd-weight.conf
# echo “\$DEFER_ACTION = ‘rc:greylist’;” >> /etc/policyd-weight.conf
# /etc/init.d/postgrey restart

Also you may have a look into The DNSBL countries.nerd.dk. This might be a way to score connections comming from well known spamming countries. But keep in mind, that there may also legitim mails comming from those! ;)

Reduce spam significant

cyco — Fri, 15 Dec 2006 22:51:18 +0000

With policyd-weight you are able to reject mails before the body is received by your MTA, here postfix. No bounce mails, less wasted bandwidth and cpu time. policyd-weight scores characteristics of the mail positive or negative, is a defined value reached, it got rejected. The scores are currently:

– DNSBLs/RHSBLs
– HELO argument
– MAIL FROM: argument
– Client IP address
– DNS client/HELO/FROM entries (A/16 A/24 A/32), PTR/FQDN and Parent Domains (MX/16 MX/24 MX/32) for their correctness respectively whether they match.

It’s available in etch and bpo, installation is really easy:

# aptitude install [-t sarge-backports] policyd-weight

Remove unnecessary reject_rbl_client and reject_rhsbl_client checks from main.cf and insert the check_policy_service:

smtpd_recipient_restrictions =
        permit_mynetworks,
        ...
        reject_unauth_destination,
        check_policy_service inet:127.0.0.1:12525
        ...

You can create a “/etc/policyd-weight.conf” if you would like to adjusting scores or other policyd-weight parameters. You can get the defaults with “policyd-weight defaults”. For more informations have a look at “/usr/share/doc/policyd-weight/documentation.txt.gz” or http://policyd-weight.org.

A normal day on a backup MX with ~500 domain:

backup:~# zgrep -e “postfix.*: connect from” \
/var/log/mail.info.0 | wc -l
29936
backup:~# zgrep -e “policyd-weight.*decided action=5″ \
/var/log/mail.info.0 | wc -l
22738
backup:~# zgrep -e “postfix.*status=sent” \
/var/log/mail.info.0 | wc -l
5570

Running different policyd-weight instances

cyco — Wed, 20 Sep 2006 12:56:11 +0000

Why run different instances of policyd-weight? Cause you may want use different scorings based on Access Policy Delegation.

At first you need make a copy of policyd-weight and modify it, since Robert didn’t implement a switch to specify a config file (yet):

# cp policyd-weight policyd-weight-instance2
# sed “s/\/policyd-weight.conf/\/policyd-weight-instance2.conf/” \
policyd-weight-instance2

Required changes to the config file:

# echo “$syslog_ident = \
“postfix/policyd-weight-INSTANCE2″;” >> \
/etc/policyd-weight-mx.conf
# echo “$SPATH = \
$LOCKPATH.’/polw-instance2.sock’;” >> \
/etc/policyd-weight-mx.conf
# echo “$PIDFILE = \
“/var/run/policyd-weight-instance2.pid”;” >> \
/etc/policyd-weight-mx.conf
# echo “$TCP_PORT = \
12526;” >> /etc/policyd-weight-mx.conf

The difference in my case is to not score “bogus_mx_score”, which may cause trouble when mails coming in from backup MX:

# echo “@bogus_mx_score = (0, 0 );” >> \
/etc/policyd-weight-mx.conf

Different Postfix Access Policy Delegation

cyco — Wed, 20 Sep 2006 12:21:37 +0000

Today I got some hints how to use different Access Policy Delegation with postfix. This it opens the possibility to use diffrent check_policy_service in dependency on sender address, client ip … and so on.

Create aliases for groups of access restrictions in /etc/postfix/main.cf:

smtpd_restriction_classes = policy1,
                            policy2,
policy1 = check_policy_service inet:127.0.0.1:12525
policy2 = check_policy_service inet:127.0.0.1:12526

Create “/etc/postfix/ip_rules.cidr”:

# echo “127.0.0.1 policy1″ > /etc/postfix/ip_rules.cidr
# echo “127.0.0.2 policy1″ >> /etc/postfix/ip_rules.cidr
# echo “0.0.0.0/0 policy2″ >> /etc/postfix/ip_rules.cidr

Add “check_client_access cidr:/etc/postfix/ip_rules.cidr” at the end of “smtpd_recipient_restrictions” in /etc/postfix/main.cf

In this scenario you can have different access policies based on the client ip. It is also possible to base it on client reverse dns with help of pcre maps and recipient/sender address and hash maps