Loading ...
Sorry, an error occurred while loading the content.

Re: RBL 'weighting'?

Expand Messages
  • Noel Jones
    ... The postfix postscreen feature has RBL weighing built in. http://www.postfix.org/POSTSCREEN_README.html http://www.postfix.org/postscreen.8.html
    Message 1 of 10 , Dec 17, 2012
    • 0 Attachment
      On 12/17/2012 7:40 AM, Miha Valencic wrote:
      > Hi!
      >
      > Is it possible to add-up scores from different RBL's and reject the
      > incoming message after a certain threshold?
      >
      > For instance, we have a number of RBLs configured and would like to
      > reject email only after a couple of RBLs fail verification.
      >
      > Thanks,
      > Miha.
      >


      The postfix "postscreen" feature has RBL weighing built in.
      http://www.postfix.org/POSTSCREEN_README.html
      http://www.postfix.org/postscreen.8.html
      http://www.postfix.org/postconf.5.html#postscreen_dnsbl_sites
      http://www.postfix.org/postconf.5.html#postscreen_dnsbl_threshold

      If you can't or don't want to use postscreen, you can use an
      external policy service, such as policyd-weight or postfwd, which
      will give you more flexible access control.
      http://www.postfix.org/SMTPD_POLICY_README.html
      http://www.postfix.org/addon.html#policy




      -- Noel Jones
    • Miha Valencic
      Wietse, Noel, thanks for the prompt answers. I ve been already looking at postscreen and postfwd, but wandered if there something in the postfix *_restrictions
      Message 2 of 10 , Dec 17, 2012
      • 0 Attachment
        Wietse, Noel,

        thanks for the prompt answers. I've been already looking at postscreen
        and postfwd, but wandered if there something in the postfix
        *_restrictions as well. We're using postfix 2.7, so postscreen is out.
        We're looking into implementing policyd anyway, so that's probably a
        good place.

        Kind regards,
        Miha.

        On Mon, Dec 17, 2012 at 3:00 PM, Wietse Venema <wietse@...> wrote:
        > Only with postscreen(8). This will not be implemented in
        > smtpd_mumble_restrictions.
      • Benny Pedersen
        ... sounds like policyd-weight ... but postfix with postscreen enabled can do this aswell, just not what postscreen was intended to do, so start with
        Message 3 of 10 , Dec 17, 2012
        • 0 Attachment
          Miha Valencic skrev den 17-12-2012 14:40:

          > Is it possible to add-up scores from different RBL's and reject the
          > incoming message after a certain threshold?

          sounds like policyd-weight

          > For instance, we have a number of RBLs configured and would like to
          > reject email only after a couple of RBLs fail verification.

          but postfix with postscreen enabled can do this aswell, just not what
          postscreen was intended to do, so start with policyd-weight first
        • Henrik K
          ... Policyd-weight is deprecated and doesn t even have async DNS lookups etc. Postfwd has replaced all that.
          Message 4 of 10 , Dec 17, 2012
          • 0 Attachment
            On Mon, Dec 17, 2012 at 04:39:36PM +0100, Benny Pedersen wrote:
            > Miha Valencic skrev den 17-12-2012 14:40:
            >
            > >Is it possible to add-up scores from different RBL's and reject the
            > >incoming message after a certain threshold?
            >
            > sounds like policyd-weight
            >
            > >For instance, we have a number of RBLs configured and would like to
            > >reject email only after a couple of RBLs fail verification.
            >
            > but postfix with postscreen enabled can do this aswell, just not
            > what postscreen was intended to do, so start with policyd-weight
            > first

            Policyd-weight is deprecated and doesn't even have async DNS lookups etc.
            Postfwd has replaced all that.
          • Miha Valencic
            So, since we need some features of policyd as well (rate limiting, for instance), and we re already using amavis, do we chain postfwd before policyd or
            Message 5 of 10 , Dec 17, 2012
            • 0 Attachment
              So, since we need some features of policyd as well (rate limiting, for
              instance), and we're already using amavis, do we chain postfwd before
              policyd or vice-versa?

              Thanks,
              Miha.

              On Mon, Dec 17, 2012 at 4:47 PM, Henrik K <hege@...> wrote:
              > Policyd-weight is deprecated and doesn't even have async DNS lookups etc.
              > Postfwd has replaced all that.
            • Noel Jones
              ... postfwd does rate limiting, and many other features. Maybe you can consolidate everything into postfwd. Additionally, rate limiting is typically done on
              Message 6 of 10 , Dec 17, 2012
              • 0 Attachment
                On 12/17/2012 10:52 AM, Miha Valencic wrote:
                > So, since we need some features of policyd as well (rate limiting, for
                > instance), and we're already using amavis, do we chain postfwd before
                > policyd or vice-versa?
                >
                > Thanks,
                > Miha.


                postfwd does rate limiting, and many other features. Maybe you can
                consolidate everything into postfwd.

                Additionally, rate limiting is typically done on outgoing mail,
                while RBL checks are typically for inbound mail. This might be a
                good time to investigate multiple postfix instances to separate your
                traffic flow.
                http://www.postfix.org/MULTI_INSTANCE_README.html

                Anyway, to answer your question about which to use first; it
                probably doesn't matter. Rule-of-thumb is to put less expensive
                checks first -- that suggests rate limits with local table lookups
                first, then the more time-consuming RBL lookups next. But in this
                situation it probably doesn't make much difference since they are
                checking different mail flows.




                -- Noel Jones
              • Miha Valencic
                ... We ll take a deeper look at postfwd for that. ... True. But there are some specific requirements (beyond my understanding :(). But if the setup will not be
                Message 7 of 10 , Dec 17, 2012
                • 0 Attachment
                  On Mon, Dec 17, 2012 at 7:13 PM, Noel Jones <njones@...> wrote:
                  > postfwd does rate limiting, and many other features. Maybe you can
                  > consolidate everything into postfwd.

                  We'll take a deeper look at postfwd for that.

                  > Additionally, rate limiting is typically done on outgoing mail,

                  True. But there are some specific requirements (beyond my
                  understanding :(). But if the setup will not be identical, we'll have
                  to look into the multi-postfix setup again.

                  Miha
                • /dev/rob0
                  ... Actually not. You could build 2.8 and bring in the postscreen and dnsblog executables and master.cf configuration; this should work according to:
                  Message 8 of 10 , Dec 17, 2012
                  • 0 Attachment
                    On Mon, Dec 17, 2012 at 04:01:58PM +0100, Miha Valencic wrote:
                    > We're using postfix 2.7, so postscreen is out.

                    Actually not. You could build 2.8 and bring in the postscreen and
                    dnsblog executables and master.cf configuration; this should work
                    according to:

                    http://www.postfix.org/announcements/postfix-2.7.0.html

                    But then, you might as well just build and use 2.9.
                    --
                    http://rob0.nodns4.us/ -- system administration and consulting
                    Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
                  Your message has been successfully submitted and would be delivered to recipients shortly.