MetaFilter is turning ten! Help us celebrate at one of dozens of meetups.


Tags:



Help me punt email before it wastes postgreys time.
December 1, 2007 5:50 PM   RSS feed for this thread Subscribe

Spammy spammers sending crap to my mail server are wasting time and resources. I'm using postfix & postgrey (greylisting) on this new server, but....

See the log section here:

Nov 30 19:34:43 heap postfix/smtpd[27141]: NOQUEUE: reject: RCPT from unknown[201.240.117.167]: 450 4.7.1 <7>: Recipient address rejected: Greylisted for 18 seconds (see http://isg.ee.ethz.ch/tools/postgrey...pbp.net.html); from= to=<7> proto=ESMTP helo=
Nov 30 19:34:43 heap postfix/smtpd[27141]: NOQUEUE: reject: RCPT from unknown[201.240.117.167]: 450 4.7.1 <7>: Recipient address rejected: Greylisted for 18 seconds (see http://isg.ee.ethz.ch/tools/postgrey...pbp.net.html); from= to=<7> proto=ESMTP helo=
Nov 30 19:34:43 heap postfix/smtpd[27141]: NOQUEUE: reject: RCPT from unknown[201.240.117.167]: 450 4.7.1 <7>: Recipient address rejected: Greylisted for 18 seconds (see http://isg.ee.ethz.ch/tools/postgrey...pbp.net.html); from= to=<7> proto=ESMTP helo=

--
Postfix is greylisting things for addresses that do not exist on my system. This is the first box that I've used greylisting on. With the previous server, I had Postfix to use a relay_recipient_maps file and that file contained a list of valid email addresses. Anything else was rejected.

While postfix is still rejecting the addresses that are invalid, Postgrey is also getting involved. I'd like to have Postfix just reject the invalid addresses right off the bat before Postgrey gets involved.

In main.cf:
relay_recipient_maps = hash:/etc/postfix/valid_emails

smtpd_recipient_restrictions =
reject_unauth_pipelining,
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_recipient,
reject_unauth_destination,
check_policy_service inet:127.0.0.1:60000,
check_recipient_access hash:/etc/postfix/recipient_checks,
check_sender_access hash:/etc/postfix/sender_access,
check_client_access hash:/etc/postfix/banned_servers,
permit

--

I really don't want to sign up for the Postfix-users mailing list just to ask one question, and I have already searched Google for this issue to no avail.

Anybody have Postfix-foo that can help me? I believe it might be a matter of re-ordering some of the content checks, but I'm not too sure.
__________________
posted by drstein to computers & internet (7 comments total) 2 users marked this as a favorite
Can't answer your main question, but regarding this:

I really don't want to sign up for the Postfix-users mailing list just to ask one question

Gmane is great for these situations.
posted by grouse at 5:59 PM on December 1, 2007


Hah! I had completely forgotten about Gmane. It reminded me that I have a usenet account, and there's still an active postfix newsgroup. I'll try there too. :-)
posted by drstein at 6:17 PM on December 1, 2007


Why would you want to cut postgrey out? The whole idea is that your greylisting daemon is cheap as far as system resources are concerned, no? Put another way, is this really your bottleneck?
posted by tarheelcoxn at 6:26 PM on December 1, 2007


Consider setting up a teergrube. My experience is that high volume spammers will quickly quit bothering you :-)
posted by paulsc at 7:51 PM on December 1, 2007 [2 favorites]


"Why would you want to cut postgrey out? The whole idea is that your greylisting daemon is cheap as far as system resources are concerned, no? Put another way, is this really your bottleneck?"

Yes, it is. Postgrey shouldn't be greylisting these addresses because these emails (that you see in the logs) are destined for addresses that do not exist on my system.

Basically, Postgrey is processing crap that should be punted right at the initial SMTP conversation. I want to stop that from happening. If it's destined for an invalid address, it should not even get to postgrey at all.
posted by drstein at 8:49 PM on December 1, 2007


Well, in checking the documentation, it looks like it must check relay_recipient_maps after it goes through the full SMTP verification process, meaning that you'll get a postgrey message on every one of them. I don't see any way, in a quick perusal, to change the order of these checks.

This is a bit odd, because normally recipient checks are done in the smtpd_recipient_restrictions section. They're done in the order you list them, which is important to many sysadmins, including you. It's very odd to me that they would add this other feature and do it with an entirely separate command that's not part of smtpd_recipient_restrictions. Basically, it looks like they didn't think it through.

This might be worth subscribing to the list and asking about... this sure looks brain dead to me, which is unusual for Postfix.
posted by Malor at 9:35 PM on December 1, 2007


This post had the answer.

I finally found it. heh.

> smtpd_recipient_restrictions =
> permit_mynetworks,
> permit_sasl_authenticated,
> check_sender_access,
> hash:/etc/postfix/sender_access,
> reject_unauth_destination,

Add reject_unlisted_recipient here

> check_policy_service inet:127.0.0.1:60000,
> reject_rbl_client sbl-xbl.spamhaus.org,
> check_relay_domains
posted by drstein at 1:22 PM on December 10, 2007


« Older Gay Male Fiction: Please Recom...   |   Need help with learning to spe... Newer »
This thread is closed to new comments.


Related Questions
Help me set up Postfix, please. January 24, 2007
Open source e-mail scalability August 26, 2005
How do I set up a Linux server to receive and... February 4, 2005
PostFix Mail December 29, 2004
Postfix Fix? February 2, 2004