[TriLUG] mailing list server filtering setup questions

Michael Hrivnak mhrivnak at hrivnak.org
Thu Dec 20 17:26:16 EST 2007


Keep in mind that for mailing lists, you really only need to filter messages 
on the way in.

You don't need amavisd unless you want to have very fine control, such as 
per-user filtering rules.  For my high-throughput gateway, I use clamsmtp and 
a simple bash script to send things through spamd.  Amavisd is very powerful 
and useful, but if you don't need its features, keep it simple to reduce 
overhead.  It's also worth noting that amavisd is not easy to configure if 
you don't happen to know perl.

Postfix does greylisting.  Its possible that a third-party greylister would 
have more features, but I've never done a comparison.

Consider taking advantage of this: http://saupdates.openprotect.com/

My only other suggestion is to consider using this:
smtpd_sender_restrictions = reject_unknown_sender_domain

That will cause postfix to issue a 450 temporary error for any message for 
which the From address domain does not have an A or MX record.  This cuts 
down on lots of spam, but it could create a DNS bottleneck.  If you choose to 
do this on your filter box, it's best to also do it on your backup relays.  
Otherwise the relays will get piles of such messages sitting in their queue 
for days at a time.

Michael




On Thursday 20 December 2007 3:08:30 pm Cristóbal Palmer wrote:
> Firstly, thanks for your thoughtful and detailed responses.
>
> On Dec 20, 2007 1:41 PM, Michael Hrivnak <mhrivnak at hrivnak.org> wrote:
> > As others have said, spammers often relay through the lower priority mail
> > handlers in hopes that there is less filtering.
>
> Yep. I get it now. Gonna make it unaccessible from the outside world
> as soon as that's feasible.
>
> > My primary concern with your plan is the need to failover into no
> > filtering. If you don't trust your filter relay to be a reliable machine,
> > you really shouldn't be using it.
>
> One of the hazards of running on donated hardware. This is why I like
> to ask questions here: airing ideas reveals the faulty assumptions or
> bad rationalizations.
>
> > As for hardware, I'm handling 10-12k messages per day on an Athlon XP
> > 2500+ with spamassassin and clamav.  For performance, it helps to use
> > spamd and clamd.  The machine you describe is major overkill for 860
> > messages/day.
>
> That's valid list posts, ie. inbound messages that mailman decided to
> say, "yes this is a valid post to a valid list; I'll send it out."
> There are about 40k smtp transactions per weekday. I should probably
> dig more into the logs to get an accurate sense of the volume of spam
> that the filter(s) will have to deal with.
>
> > I have a postfix gateway in production very similar to the one I suggest
> > for your situation, and I am happy to offer more specific help on how to
> > get yours going.
>
> Great! I'll be sure to post back if I run into specific trouble. I'm
> hearing several people mention clamav and fewer mention amavisd. Shall
> I limit myself to postfix, some greylisting daemon (which?),
> spamassassin, and clamav? Anything else this machine should be doing?
>
> > When you are satisfied that they work, then you can change your DNS
> > records to put them in production.
>
> That's about what I was thinking, but part of me would like to figure
> out how to test what sort of load the setup can/should handle. If it's
> going to fail, I'd like to have a good sense of which way it will
> fall. :)
>
> Again, thanks so much for the comments!
>
> Cheers,
> --
> Cristóbal M. Palmer
> celebrating 15 years of sunsite/metalab/ibiblio:
> http://tinyurl.com/2o8hj4


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
URL: <http://www.trilug.org/pipermail/trilug/attachments/20071220/d81e76c4/attachment.pgp>


More information about the TriLUG mailing list