Comments on: Help me punt email before it wastes postgreys time.

Question: Help me punt email before it wastes postgreys time.

drstein — Sat, 01 Dec 2007 17:50:30 -0800

Spammy spammers sending crap to my mail server are wasting time and resources. I'm using postfix & postgrey (greylisting) on this new server, but....

See the log section here:

Nov 30 19:34:43 heap postfix/smtpd[27141]: NOQUEUE: reject: RCPT from unknown[201.240.117.167]: 450 4.7.1 <7>: Recipient address rejected: Greylisted for 18 seconds (see http://isg.ee.ethz.ch/tools/postgrey...pbp.net.html); from= to=<7> proto=ESMTP helo=
Nov 30 19:34:43 heap postfix/smtpd[27141]: NOQUEUE: reject: RCPT from unknown[201.240.117.167]: 450 4.7.1 <7>: Recipient address rejected: Greylisted for 18 seconds (see http://isg.ee.ethz.ch/tools/postgrey...pbp.net.html); from= to=<7> proto=ESMTP helo=
Nov 30 19:34:43 heap postfix/smtpd[27141]: NOQUEUE: reject: RCPT from unknown[201.240.117.167]: 450 4.7.1 <7>: Recipient address rejected: Greylisted for 18 seconds (see http://isg.ee.ethz.ch/tools/postgrey...pbp.net.html); from= to=<7> proto=ESMTP helo=

--
Postfix is greylisting things for addresses that do not exist on my system. This is the first box that I've used greylisting on. With the previous server, I had Postfix to use a relay_recipient_maps file and that file contained a list of valid email addresses. Anything else was rejected.

While postfix is still rejecting the addresses that are invalid, Postgrey is also getting involved. I'd like to have Postfix just reject the invalid addresses right off the bat before Postgrey gets involved.

In main.cf:
relay_recipient_maps = hash:/etc/postfix/valid_emails

smtpd_recipient_restrictions =
reject_unauth_pipelining,
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_recipient,
reject_unauth_destination,
check_policy_service inet:127.0.0.1:60000,
check_recipient_access hash:/etc/postfix/recipient_checks,
check_sender_access hash:/etc/postfix/sender_access,
check_client_access hash:/etc/postfix/banned_servers,
permit

--

I really don't want to sign up for the Postfix-users mailing list just to ask one question, and I have already searched Google for this issue to no avail.

Anybody have Postfix-foo that can help me? I believe it might be a matter of re-ordering some of the content checks, but I'm not too sure.
__________________

By: grouse

grouse — Sat, 01 Dec 2007 17:59:19 -0800

Can't answer your main question, but regarding this:

I really don't want to sign up for the Postfix-users mailing list just to ask one question

Gmane is great for these situations.

By: drstein

drstein — Sat, 01 Dec 2007 18:17:23 -0800

Hah! I had completely forgotten about Gmane. It reminded me that I have a usenet account, and there's still an active postfix newsgroup. I'll try there too. :-)

By: tarheelcoxn

tarheelcoxn — Sat, 01 Dec 2007 18:26:26 -0800

Why would you want to cut postgrey out? The whole idea is that your greylisting daemon is cheap as far as system resources are concerned, no? Put another way, is this really your bottleneck?

By: paulsc

paulsc — Sat, 01 Dec 2007 19:51:31 -0800

Consider setting up a teergrube. My experience is that high volume spammers will quickly quit bothering you :-)

By: drstein

drstein — Sat, 01 Dec 2007 20:49:43 -0800

"Why would you want to cut postgrey out? The whole idea is that your greylisting daemon is cheap as far as system resources are concerned, no? Put another way, is this really your bottleneck?"

Yes, it is. Postgrey shouldn't be greylisting these addresses because these emails (that you see in the logs) are destined for addresses that do not exist on my system.

Basically, Postgrey is processing crap that should be punted right at the initial SMTP conversation. I want to stop that from happening. If it's destined for an invalid address, it should not even get to postgrey at all.

By: Malor

Malor — Sat, 01 Dec 2007 21:35:54 -0800

Well, in checking the documentation, it looks like it must check relay_recipient_maps after it goes through the full SMTP verification process, meaning that you'll get a postgrey message on every one of them. I don't see any way, in a quick perusal, to change the order of these checks.

This is a bit odd, because normally recipient checks are done in the smtpd_recipient_restrictions section. They're done in the order you list them, which is important to many sysadmins, including you. It's very odd to me that they would add this other feature and do it with an entirely separate command that's not part of smtpd_recipient_restrictions. Basically, it looks like they didn't think it through.

This might be worth subscribing to the list and asking about... this sure looks brain dead to me, which is unusual for Postfix.

By: drstein

drstein — Mon, 10 Dec 2007 13:22:19 -0800

This post had the answer.

I finally found it. heh.

> smtpd_recipient_restrictions =
> permit_mynetworks,
> permit_sasl_authenticated,
> check_sender_access,
> hash:/etc/postfix/sender_access,
> reject_unauth_destination,

Add reject_unlisted_recipient here

> check_policy_service inet:127.0.0.1:60000,
> reject_rbl_client sbl-xbl.spamhaus.org,
> check_relay_domains