On Thu, Jul 09, 2009 at 05:15:41PM -0400, Michael Orlitzky wrote: > Ignacio Garcia wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> Hi there. We use both postgrey and policyd-weight to block spam. >> policyd-weight checks against several RBL and DNSBL so each time a mail >> is received several queries are done in order to get a score. On the >> other side, we have a filter with postgrey that checks for EHLOs from >> plain IPs, and common names in rdns for residential connections >> (broadband|dyn|adsl|...), so we do not greylist everybody. Currently >> we've had policyd-weight do its work before postgrey. Running >> policyd-weight first means more dns queries (which are not all local), >> and running postgrey first means more local disk i/o since it has to run >> a list, although I guess it will not be that much. >> Does anybody has experience with them? Which one would you declare first >> in smtpd_recipient_restrictions? I should consider which one of these 2 >> perl scripts runs faster and uses less resources, and I don't know how. > > It depends on your configuration of both policyd-weight and Postgrey: you > want to perform the most cost-effective checks first. > > My guess would be that Postgrey is more cost-effective; that is, you should > place it first. However, you could easily have configured them the other > way around. > It is sort of like potAto/potAHto, but definitely put the most cost- effective check first. One data point, in our case we started with grey-listing(We use SQLgrey.) before policyd-weight using an analysis similar to yours. What we found is that the size of the connection table was much, much larger when grey-listing was first. In our case, that mattered because we were replicating the data to several redundant DBs to provide for fault-tolerance. Also, the checks that policyd-weight performs are cached and it shutdown heavy connection rate spam bots using cached data so the DNS overhead is very low. Changing the order to put policyd-weight first dropped the size of our grey-listing DB by an order of magnitude or more. Good luck, either way will work.
Cheers, Ken
