Loading ...
Sorry, an error occurred while loading the content.

Before queue filter vs access policy delegation?

Expand Messages
  • S P Arif Sahari Wibowo
    Hi! I have one server using before queue content filter which sometime have resource problem (mail delivery slow down bogged down by spams and unreachable
    Message 1 of 9 , Aug 8, 2008
    View Source
    • 0 Attachment
      Hi!

      I have one server using before queue content filter which
      sometime have resource problem (mail delivery slow down bogged
      down by spams and unreachable servers). Just not too long time
      ago I found about SMTPD access policy delegation. Since the
      filter do nothing to the e-mail other than accept or reject, it
      seems that I can do the same SMTPD access policy delegation.

      Currently the filter works by checking sender and recipients,
      specifically some recipient address which requires
      authentication code in the address extension. If the
      authentication not there then the smtp conversation is rejected
      immediately.

      So, am I correct to think that this can be implemented by SMTPD
      access policy delegation? What actually the difference on what
      SMTPD access policy delegation can achieve compare to what
      before queue content filter can do?

      Is it true that SMTPD access policy delegation can have less
      resources requirement than before queue content filter? I am
      also thinking to start implementing the grey list.

      Thanks!

      --
      (stephan paul) Arif Sahari Wibowo
      _____ _____ _____ _____
      /____ /____/ /____/ /____
      _____/ / / / _____/ http://www.arifsaha.com/
    • Ralf Hildebrandt
      ... Yes. ... It doesn t need to process the body of the email -- Ralf Hildebrandt (Ralf.Hildebrandt@charite.de) snickebo@charite.de Postfix -
      Message 2 of 9 , Aug 8, 2008
      View Source
      • 0 Attachment
        * S P Arif Sahari Wibowo <lists@...>:
        > Hi!
        >
        > I have one server using before queue content filter which sometime have
        > resource problem (mail delivery slow down bogged down by spams and
        > unreachable servers). Just not too long time ago I found about SMTPD
        > access policy delegation. Since the filter do nothing to the e-mail other
        > than accept or reject, it seems that I can do the same SMTPD access policy
        > delegation.
        >
        > Currently the filter works by checking sender and recipients,
        > specifically some recipient address which requires authentication code in
        > the address extension. If the authentication not there then the smtp
        > conversation is rejected immediately.
        >
        > So, am I correct to think that this can be implemented by SMTPD access
        > policy delegation?

        Yes.

        > What actually the difference on what SMTPD access policy delegation can
        > achieve compare to what before queue content filter can do?

        It doesn't need to process the body of the email

        --
        Ralf Hildebrandt (Ralf.Hildebrandt@...) snickebo@...
        Postfix - Einrichtung, Betrieb und Wartung Tel. +49 (0)30-450 570-155
        http://www.arschkrebs.de
        I think the natural reaction one has to their mail being blocked for
        what they think are inappropriate reasons is first to say, "WTF?" and
        then to issue the missle launch codes.
      • S P Arif Sahari Wibowo
        ... Thanks Ralf! Will it do it with less resources as well? It seems so, since that message does not need to go through 2 postfix smtpd process. Also body of
        Message 3 of 9 , Aug 9, 2008
        View Source
        • 0 Attachment
          On Sat, 9 Aug 2008, Ralf Hildebrandt wrote:
          > Yes.

          Thanks Ralf! Will it do it with less resources as well? It seems
          so, since that message does not need to go through 2 postfix
          smtpd process. Also body of the messages are not passed - but in
          the other hand the script will be contacted multiple time during
          receiving an e-mail, right?

          > It doesn't need to process the body of the email

          Just curious, since queue_id is passed, is it possible for the
          script to actually read the email body in postfix queue?

          Thanks!

          --
          (stephan paul) Arif Sahari Wibowo
          _____ _____ _____ _____
          /____ /____/ /____/ /____
          _____/ / / / _____/ http://www.arifsaha.com/
        • Noel Jones
          ... Yes, a policy service is always* less resource intensive than a content_filter or proxy. *assuming well written software doing about the same thing. ... If
          Message 4 of 9 , Aug 9, 2008
          View Source
          • 0 Attachment
            S P Arif Sahari Wibowo wrote:
            > On Sat, 9 Aug 2008, Ralf Hildebrandt wrote:
            >> Yes.
            >
            > Thanks Ralf! Will it do it with less resources as well? It seems so,
            > since that message does not need to go through 2 postfix smtpd process.

            Yes, a policy service is always* less resource intensive than
            a content_filter or proxy.

            *assuming well written software doing about the same thing.

            > Also body of the messages are not passed - but in the other hand the
            > script will be contacted multiple time during receiving an e-mail, right?

            If the service is called during smtpd_{client, helo, sender,
            recipient}_restrictions, it will be called once for each
            recipient.

            If called during smtpd_data_restrictions, it will be called
            once per message, but no recipient info will be reported if
            the original message had multiple recipients.

            >
            >> It doesn't need to process the body of the email
            >
            > Just curious, since queue_id is passed, is it possible for the script to
            > actually read the email body in postfix queue?
            >

            No. The queue file format is intentionally undocumented to
            discourage direct manipulation of queue files. The queue file
            format can change between postfix versions without warning.
            Direct manipulation of queue files is unsupported and not
            recommended.

            Of course, a more basic problem is that the queue file doesn't
            yet exist when the policy service is called from
            smtpd_{client, helo, sender, recipient, data}_restrictions.

            > Thanks!
            >

            --
            Noel Jones
          • Bill Anderson
            ... To be fair, if he only want to read the body, he could shell out to postcat to *read* it so long as it was done late enough in the process - i.e.
            Message 5 of 9 , Aug 13, 2008
            View Source
            • 0 Attachment
              On Aug 9, 2008, at 8:52 PM, Noel Jones wrote:

              >
              >>> It doesn't need to process the body of the email
              >> Just curious, since queue_id is passed, is it possible for the
              >> script to actually read the email body in postfix queue?
              >
              > No. The queue file format is intentionally undocumented to
              > discourage direct manipulation of queue files. The queue file
              > format can change between postfix versions without warning.
              > Direct manipulation of queue files is unsupported and not recommended.
              >
              > Of course, a more basic problem is that the queue file doesn't yet
              > exist when the policy service is called from smtpd_{client, helo,
              > sender, recipient, data}_restrictions.

              To be fair, if he only want to read the body, he could "shell out" to
              postcat to *read* it so long as it was done late enough in the process
              - i.e. end-of-data. I make no guarantees about performance of such
              acts, however. ;) I have done this *on occasion* for very specific
              checks.

              Obviously modification is out.

              A queuefile *could* exist during the RCPT TO phases, but there would
              be no header/body content to be read anyway.


              Cheers,
              Bill
            • S P Arif Sahari Wibowo
              ... Thanks. That is the case I thought about. In-fact, I think for filtering purpose it probably does not matter to read the queue file directly, since all the
              Message 6 of 9 , Aug 19, 2008
              View Source
              • 0 Attachment
                On Wed, 13 Aug 2008, Bill Anderson wrote:
                > To be fair, if he only want to read the body, he could "shell
                > out" to postcat to *read* it so long as it was done late
                > enough in the process - i.e. end-of-data. I make no guarantees
                > about performance of such acts, however. ;) I have done this
                > *on occasion* for very specific checks.

                Thanks. That is the case I thought about. In-fact, I think for
                filtering purpose it probably does not matter to read the queue
                file directly, since all the words are there.

                Anyway, if I need to routinely read body, I will be back to
                before queue filter. Before getting to AP delegation, I was
                thinking to modify the filter into a thin pass-through filter
                facing the Internet directly, so no need for double postfix
                smtpd.

                --
                (stephan paul) Arif Sahari Wibowo
                _____ _____ _____ _____
                /____ /____/ /____/ /____
                _____/ / / / _____/ http://www.arifsaha.com/
              • S P Arif Sahari Wibowo
                ... Great! I hope the difference is big enough, since I want to implement greylisting on the top of it. :-) Talking about greylisting, is there any known issue
                Message 7 of 9 , Aug 19, 2008
                View Source
                • 0 Attachment
                  On Sat, 9 Aug 2008, Noel Jones wrote:
                  > Yes, a policy service is always* less resource intensive than
                  > a content_filter or proxy.
                  > *assuming well written software doing about the same thing.

                  Great! I hope the difference is big enough, since I want to
                  implement greylisting on the top of it. :-)

                  Talking about greylisting, is there any known issue implementing
                  greylisting using SQLite as storage backend?

                  --
                  (stephan paul) Arif Sahari Wibowo
                  _____ _____ _____ _____
                  /____ /____/ /____/ /____
                  _____/ / / / _____/ http://www.arifsaha.com/
                • Noel Jones
                  ... This would work, but seems somewhat of a hack. There are better interfaces to message content. ... I would be reluctant to put a self-written proxy in
                  Message 8 of 9 , Aug 19, 2008
                  View Source
                  • 0 Attachment
                    S P Arif Sahari Wibowo wrote:
                    > On Wed, 13 Aug 2008, Bill Anderson wrote:
                    >> To be fair, if he only want to read the body, he could "shell out" to
                    >> postcat to *read* it so long as it was done late enough in the process
                    >> - i.e. end-of-data. I make no guarantees about performance of such
                    >> acts, however. ;) I have done this *on occasion* for very specific
                    >> checks.
                    >
                    > Thanks. That is the case I thought about. In-fact, I think for filtering
                    > purpose it probably does not matter to read the queue file directly,
                    > since all the words are there.

                    This would work, but seems somewhat of a hack. There are
                    better interfaces to message content.

                    >
                    > Anyway, if I need to routinely read body, I will be back to before queue
                    > filter. Before getting to AP delegation, I was thinking to modify the
                    > filter into a thin pass-through filter facing the Internet directly, so
                    > no need for double postfix smtpd.
                    >

                    I would be reluctant to put a self-written proxy in front of
                    postfix connected directly to the internet. There are just
                    too many opportunities to create a security problem.

                    You *can* safely use a self-written filter as a
                    smtpd_proxy_filter used within postfix.

                    --
                    Noel Jones
                  • Noel Jones
                    ... SQLite should work fine. All popular storage back-ends are reasonably reliable; of more concern is the software interfacing to postfix. -- Noel Jones
                    Message 9 of 9 , Aug 19, 2008
                    View Source
                    • 0 Attachment
                      S P Arif Sahari Wibowo wrote:
                      > On Sat, 9 Aug 2008, Noel Jones wrote:
                      >> Yes, a policy service is always* less resource intensive than a
                      >> content_filter or proxy.
                      >> *assuming well written software doing about the same thing.
                      >
                      > Great! I hope the difference is big enough, since I want to implement
                      > greylisting on the top of it. :-)
                      >
                      > Talking about greylisting, is there any known issue implementing
                      > greylisting using SQLite as storage backend?
                      >

                      SQLite should work fine.
                      All popular storage back-ends are reasonably reliable; of more
                      concern is the software interfacing to postfix.

                      --
                      Noel Jones
                    Your message has been successfully submitted and would be delivered to recipients shortly.