Re: Outsourced anti-spam and Issues with VRFY

Mon, 05 Aug 2013 05:17:57 -0700

On 2013-08-04 7:30 PM, wie...@porcupine.org (Wietse Venema) <wie...@porcupine.org (Wietse Venema)> wrote: 
Charles Marcus:

We are set up for performance with VRFY probes and by modifying
your postfix config file so postfix will not nave a performance
issue by setting postfix option smtpd_soft_error_limit to be larger
than smtpd_hard_error_limit.


That is nonsense, as demonstrated below:

     # postconf smtpd_hard_error_limit=1 smtpd_soft_error_limit=2
     # postfix reload
     # telnet 127.0.0.1 smtp
     Trying 127.0.0.1...
     Connected to localhost.
     Escape character is '^]'.
     220 hades.porcupine.org ESMTP Postfix
     hello foo
     502 5.5.2 Error: command not recognized
     421 4.7.0 hades.porcupine.org Error: too many errors
     Connection closed by foreign host.

These people never tested this recommendation, just like they
never tested their software against Postfix or else they would
have been aware of the smtpd_junk_command_limit feature.

It should be safe to dumb down Postfix defenses, provided that
no-one else can connect to your SMTP server.


Thanks Wietse,

After your hint I read up on this command at:

http://www.postfix.org/STRESS_README.html#legacy


but I'm still unsure how to implement this properly to address this 
particular issue...



Would it be to lower the junk setting to 1? Would I also need to lower 
the others (timeout and hard_error_limit)? Or maybe use different values?


> However given the poor quality assurance with respect to Postfix,
> I would be suspicious about the quality assurance of their code.


I understand. All I can say that they are considerably more effective 
than the last 2 or 3 solutions we have used (webroot, postini, then 
maildistiller), and on top of that, they are 1/3 the cost. So, I'd like 
to continue using them if I can eliminate these errors.



Also - I hate to ask (it isn't your job to do their job), but could you 
suggest off the top of your head what they *should* be doing? Would 
properly closing all VRFY probe connections really impact performance on 
their side that much - especially if they are caching these responses 
(so those wouldn't even need to be sent downstream to my server)? I 
really hope I don't find out they aren't caching them for at least a few 
hours to a day or so.


Thanks again,

Charles























					Reply via email to