I recently implemented postfwd here to help with our smtp-auth spammer
problems.
On 12/21/2012 05:28 AM, Miha Valencic wrote:
Hi!
I sent similar mail to postfwd mailing list as well, but it seems that
the list is very slow, and I could not find any archives on the net as
well. With regards to postfwd, we're thinking about implementing
postfwd in a large-scale environment. I searched the documentation and
could not find some
specific answers:
1) If we want to rate-limit every client, even the ones in
"mynetworks", do we need to move mynetworks checks to postfwd, or just
call postfwd from a different stage (i.e. end of data restrictions)?
We just call the policy service before we permit anything.
smtpd_recipient_restrictions =
check_recipient_access hash:/etc/postfix/overquota,
.
. < Some more reject lists >
.
check_policy_service inet:127.0.0.1:10061,
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination,
.
.
.
2) How does postfwd handle multiple-server installations? Specifically,
how are counters shared between servers? I noticed in the command line
configuration options, that there are some settings related to cache,
cache port, etc.. but nothing documented enough so that I could see
what it does exactly.
The counters are local to that instance of postfwd, but postfwd also
comes with hapolicyd which you can use to send all your queries to a
single postfwd instance (and fail over if there are any problems). See
http://postfwd.org/hapolicy/index.html
3) How does postfwd handle counters? For instance, in a rate limit
scenario. If we have a rate limit of 10 recipients per minute. Does it
really store the timestamps of messages so that it really knows
whether the limit was exceeded? For instance, If I send 10 emails at
09:00:30 and then send 5 emails at 09:01:05, the limit should be hit.
Or, if I send 2 emails every 12 seconds, the limit should not be hit.
Does it perhaps use the 'token bucket' algorithm?
They're stored in a perl hash. You can see the cache with
postfwd2 --dumpcache .
4) Are counters persistent? Meaning, do they survive the postfwd daemon restart?
Not by default. It looks like you can do this with --save-rates <file> ,
but we don't currently.
Rich
