<side point>
FYI, It is not necessary to include the sender's email and the list address on a response- the OP will get two messages. The list address is all you need. Thanks in advance...
</side point>
"in terms of throughput, if you have to do X (eg dns lookup) before
doing Y, and what your throughput is. Some mail clusters handles
millions of emails, etc. etc"
That doesn't quite make sense. The DNS lookups are going to get cached. In the case of Zimbra, postfix and postscreen are on the same node so the the greater processing penalty is with postfix since it has to do the blocklist and other checks. Although...
(from http://www.postfix.org/POSTSCREEN_README.html)
"For each connection from an SMTP client, postscreen(8) performs a number of tests in the order as described below. Some tests introduce a delay of a few seconds. postscreen(8) maintains a temporary whitelist for clients that pass its tests; by allowing whitelisted clients to skip tests, postscreen(8) minimizes its impact on legitimate email traffic."
and...
"Before engaging in SMTP-level tests. postscreen(8) queries a number of local black and whitelists. These tests speed up the handling of known clients."
I see, the penalty is in the SMTP level check. Inter-process communication via TCP sockets isn't going to be the fastest but that's rather high- this is definitely something be mindful of.
"anyway, if you are running one email server (singular) it is not all that
useful so much, I guess. but as with our previous discussions, do not
let the technical stuff bother you, it is your server, so do as you like"
LOL, right... because technical conversation on a technical list- that's weird
FYI, It is not necessary to include the sender's email and the list address on a response- the OP will get two messages. The list address is all you need. Thanks in advance...
</side point>
"in terms of throughput, if you have to do X (eg dns lookup) before
doing Y, and what your throughput is. Some mail clusters handles
millions of emails, etc. etc"
That doesn't quite make sense. The DNS lookups are going to get cached. In the case of Zimbra, postfix and postscreen are on the same node so the the greater processing penalty is with postfix since it has to do the blocklist and other checks. Although...
(from http://www.postfix.org/POSTSCREEN_README.html)
"For each connection from an SMTP client, postscreen(8) performs a number of tests in the order as described below. Some tests introduce a delay of a few seconds. postscreen(8) maintains a temporary whitelist for clients that pass its tests; by allowing whitelisted clients to skip tests, postscreen(8) minimizes its impact on legitimate email traffic."
and...
"Before engaging in SMTP-level tests. postscreen(8) queries a number of local black and whitelists. These tests speed up the handling of known clients."
I see, the penalty is in the SMTP level check. Inter-process communication via TCP sockets isn't going to be the fastest but that's rather high- this is definitely something be mindful of.
"anyway, if you are running one email server (singular) it is not all that
useful so much, I guess. but as with our previous discussions, do not
let the technical stuff bother you, it is your server, so do as you like"
LOL, right... because technical conversation on a technical list- that's weird
'Appreciate the feedback, thanks.
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Keith C. Perry, MS E.E.
Keith C. Perry, MS E.E.
From: "ac" <ac@main.me>
To: "Keith C. Perry" <kperry@daotechnologies.com>
Cc: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
Sent: Monday, October 24, 2016 4:36:46 PM
Subject: Re: [PLUG] Postscreen (another tool for helping to minimize the effect of spam)
To: "Keith C. Perry" <kperry@daotechnologies.com>
Cc: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
Sent: Monday, October 24, 2016 4:36:46 PM
Subject: Re: [PLUG] Postscreen (another tool for helping to minimize the effect of spam)
On Mon, 24 Oct 2016 16:25:18 -0400 (EDT)
"Keith C. Perry" <kperry@daotechnologies.com> wrote:
Two questions...
1) "higher overhead"
In terms of what specifically. Memory, cpu, etc... I can't see a
whitelist cheap being that intensive relative to the full check the
main mail server does.
in terms of throughput, if you have to do X (eg dns lookup) before
doing Y, and what your throughput is. Some mail clusters handles
millions of emails, etc. etc
2) "...somewhat less effective these days as bots also deal with
delays now."
When you say "deal with", How so? Postscreen sounds like it does
for mail what my iptables rule do for my entire net- that is to say,
prevent spammers from over running the server. I guessing the
Postscreen delay is configurable but are you saying there is some way
around that?
okay, no. postscreen has many cool features, start using it on your
email cluster and see, you can score (weigh) rbl and many cool things
the delays - spam as everyone knows, comes from many different sources.
The source that postscreen was really good at defending, the botnets
was mostly due to the delay happening at the end/last but the bots have
become more sophisticated and these days they spawn/wait/come back
some of these new bots & controllers are tracked here:
http://spamid.net
anyway, if you are running one email server (singular) it is not all that
useful so much, I guess. but as with our previous discussions, do not
let the technical stuff bother you, it is your server, so do as you like :)
Andre
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Keith C. Perry, MS E.E.
Owner, DAO Technologies LLC
(O) +1.215.525.4165 x2033
(M) +1.215.432.5167
www.daotechnologies.com
----- Original Message -----
From: "ac" <ac@main.me>
To: "Keith C. Perry" <kperry@daotechnologies.com>
Cc: "Philadelphia Linux User's Group Discussion List"
<plug@lists.phillylinux.org> Sent: Monday, October 24, 2016 4:11:51 PM
Subject: Re: [PLUG] Postscreen (another tool for helping to minimize
the effect of spam)
On Mon, 24 Oct 2016 16:06:25 -0400 (EDT)
"Keith C. Perry" <kperry@daotechnologies.com> wrote:
> First I've heard of postscreen (and now postgrey- thanks) so I'll
> have to see how it goes in the wild.
>
I use it, yes it is cool but it is somewhat less effective these days
as bots also deal with delays now. It has a higher overhead but is
still very effective in smaller email clusters, like an other expert
said, it depends on your environment, how many physical mail servers
you have, where they are, etc etc. - in larger clusters, not so much,
there are lower overhead ways, like basic checks (no dns, etc) larger
clusters you still need to build to fit a suitable greylisting design
as each requirement is always different and any overhead/delays/etc is
not that good/acceptable
1c
Andre
> ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
> Keith C. Perry, MS E.E.
> Owner, DAO Technologies LLC
> (O) +1.215.525.4165 x2033
> (M) +1.215.432.5167
> www.daotechnologies.com
>
> ----- Original Message -----
> From: "Rich Freeman" <r-plug@thefreemanclan.net>
> To: "Philadelphia Linux User's Group Discussion List"
> <plug@lists.phillylinux.org> Sent: Monday, October 24, 2016 3:55:34
> PM Subject: Re: [PLUG] Postscreen (another tool for helping to
> minimize the effect of spam)
>
> On Mon, Oct 24, 2016 at 2:47 PM, Keith C. Perry
> <kperry@daotechnologies.com> wrote:
> > For what its worth, Zimbra 8.7 has built in Postscreen
> > functionality (since it is part of Postfix) and they have nice
> > write up on it at:
> >
> > https://wiki.zimbra.com/wiki/Zimbra_Collaboration_Postscreen
> >
> > The main, Postfix man page is here:
> >
> > http://www.postfix.org/postscreen.8.html
>
> Interesting. I'm currently running postfix and postgrey. How much
> of a drop-in is postscreen, or do you really need to tweak the
> config to have it work "correctly?" Does it offer many benefits
> compared to postgrey? Postgrey also does the whitelisting but the
> test consists simply of dropping every connection with a temporary
> failure and seeing if the host bothers to try again later.
>
> It looks like you want it to only filter inbound mail from the
> internet. That isn't a big deal since that all comes in through a
> gateway anyway, so I can just have it go to a dedicated postscreen
> port.
>
___________________________________________________________________________
Philadelphia Linux Users Group --
http://www.phillylinux.org Announcements -
http://lists.phillylinux.org/mailman/listinfo/plug-announce General
Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
___________________________________________________________________________
Philadelphia Linux Users Group --
http://www.phillylinux.org Announcements -
http://lists.phillylinux.org/mailman/listinfo/plug-announce General
Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug