[PLUG] A Postgrey problem solved

Keith Lofstrom keithl at kl-ic.com
Wed Dec 28 19:45:14 UTC 2005 

As I mentioned in a previous post to the PLUG list, I am now
running Postgrey, and it really stops a lot of spam.  I also
run a DNS check, an RBL check, and spamassassin afterwards.  
While I am getting 30,000 spam attempts per day hitting my
server, only 2 or 3 make it through.  Color me pleased!

There were a couple of things I ran into that aren't mentioned
in the rather skimpy Postgrey documentation, that might save
some of you some headaches. 

First, the documentation suggests using a port to connect to
the postgrey daemon, while the RPM installs /etc/rc.d/init.d/postgrey
configured to use a socket.  If you install from an rpm, check
the file /etc/rc.d/init.d/postgrey.  If it contains these lines:

DBPATH=/var/spool/postfix/postgrey
SOCKET=$DBPATH/socket
OPTIONS="--unix=$SOCKET"

Then you should have these lines in your /etc/postfix/main.cf file:

smtpd_recipient_restrictions =
    permit_mynetworks
    reject_unauth_destination
    check_policy_service unix:/var/spool/postfix/postgrey/socket

Second, the "permit_mynetworks" line above is important, but not
explicitly mentioned in the postgrey documentation.  I initially
configured the above lines without the "permit_mynetworks.  It
failed to pass traffic outbound from the mailing lists I run on
my servers.  I would get a bunch of these errors instead:

  Dec 28 13:40:19 rimu postfix/smtpd[24279]: NOQUEUE: reject: RCPT from \
  localhost[127.0.0.1]: 554 <john at somedomain.com>: Relay access denied; \
  from=<dirvish-bounces at dirvish.org> to=<john at somedomain.com> proto=ESMTP \
  helo=<rimu.kl-ic.com>
  (line breaks added)

Of course, the inbound line to keithl AT kl-ic DOT com worked fine;
it was difficult to detect that the mailing list was broken.

I fiddled with all sorts of things, but eventually found a few postfix
main.cf listings on websites out there with "permit_mynetworks" set.
This frob got the mailing lists moving again.


If there are any college students out there that are looking for
senior projects, there are two things that need to be done about
postfix.  First, postfix needs a friendly front-end configurator,
probably implemented as a set of web pages that you feed information
to, producing the /etc/postfix files.  Fully developed, that might
make a nifty web product for some mail-savvy company like Naked Ape;
choose a template, enter information, paypal $10, and download a
usable main.cf and other files .  A lot of templates to design,
sure, but over time nobody has to read the docs, the dove book,
or desperately google for keywords.  

Secondly, postfix needs a simulator.  This could also be a website,
where you feed it some network description operation, the contents
of your /etc/postfix directory and a few other configs, then start
feeding the simulator fake mails on various spigots and see what
happens.  This would be more involved than the config generator,
but probably necessary to test it thoroughly.  One of the really
stupid things about postfix (like other MTAs, sigh) is how little
testing it permits; you pretty much have to take it live and run
an ad-hoc mail test script to make sure it is working - and then
a bunch of users get annoying test emails.  Ugly.  

Oh well.  At least postfix beats sendmail, and works fine if you
know what you are doing (myself not included, sigh).

Keith

-- 
Keith Lofstrom          keithl at keithl.com         Voice (503)-520-1993
KLIC --- Keith Lofstrom Integrated Circuits --- "Your Ideas in Silicon"
Design Contracting in Bipolar and CMOS - Analog, Digital, and Scan ICs

More information about the PLUG mailing list