Can I have input about this recommendation? Is there unreasonable security risk? I think not, but I want to double check
On 02/28/2016 10:51 PM, Ruben Safir wrote: > On 02/29/2016 01:34 AM, Mark Sapiro wrote: >> I think we can fix your issue fairly simply. >> >> Please, as I asked in my reply at >> <https://mail.python.org/pipermail/mailman-users/2016-February/080524.html>, >> post the output from 'postconf -n' and the contents of mm_cfg.py. > > > Sorry, I got mixed up. Its just probably the frustration. Everyone > uses mailman, I don't know why I'm so stupid > > > smtpd_recipient_restrictions = check_client_access > hash:/etc/postfix/helo_client_exceptions check_sender_access > hash:/etc/postfix/sender_checks, reject_invalid_hostname, > reject_non_fqdn_hostname, reject_non_fqdn_sender, > reject_non_fqdn_recipient, reject_unknown_sender_domain, > reject_unknown_recipient_domain, permit_mynetworks, > reject_unauth_destination, permit_mynetworks, reject_unauth_destination, > reject_invalid_hostname, reject_non_fqdn_hostname, > reject_non_fqdn_sender, reject_non_fqdn_recipient, > reject_unknown_sender_domain, reject_unknown_recipient_domain, > reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net > reject_rbl_client cbl.abuseat.org, permit This is almost certainly your problem. All those checks take time, especially if DNS is slow. If you send a message from a client and Postfix takes 5 seconds to accept it, it's no big deal. If Mailman sends to 10 or 20 recipients, and it takes Postfix a minute to respond, it still may be no big deal unless another two posts arrive in that minute , and so on until you have a big backlog. I suggest that if you really want all those checks, that you set up a separate port for Mailman to send to without all those rbl lookups and recipient domain lookups. See below. > vim /usr/lib/mailman/Mailman/mm_cfg.py > > ############################################### > # Here's where we get the distributed defaults. > > from Defaults import * > > ################################################## > # Put YOUR site-specific settings below this line. > DEFAULT_URL_PATTERN = 'http://%s/mailman/' > DEFAULT_NNTP_HOST = 'www.mrbrklyn.com' > DEFAULT_EMAIL_HOST = 'nylxs.com' > DEFAULT_URL_HOST = 'www.nylxs.com' > MTA = 'Postfix' > POSTFIX_ALIAS_CMD = '/usr/sbin/postalias' > POSTFIX_MAP_CMD = '/usr/sbin/postmap' > DELIVERY_MODULE = 'SMTPDirect' > SMTPHOST = 'mrbrklyn.com' > SMTPPORT = '25' Here's where I'm suggesting changes. Pick a port, say 8000, although it could be anything that doesn't conflict. Then change the above to SMTPHOST = '127.0.0.1' SMTPPORT = 8000 (don't quote the port - it's a number, not a string) Also, while you're at it I suggest adding VERP_PASSWORD_REMINDERS = Yes VERP_PERSONALIZED_DELIVERIES = Yes VERP_DELIVERY_INTERVAL = 1 for more reliable bounce processing. But, see below for changes to Postfix master.cf that you must make first. > add_virtualhost(DEFAULT_URL_HOST, DEFAULT_EMAIL_HOST) > add_virtualhost('lists.mrbrklyn.com', 'mrbrklyn.com') > IMAGE_LOGOS = '/mailmanicons/' > > > > There is another one in apache: > I don't know if it is being used. > vim /usr/local/apache/conf/mailman/Mailman/mm_cfg.py No, that shouldn't be used. In Postfix master.cf add the following stanza 127.0.0.1:8000 inet n - - - - smtpd -o smtpd_authorized_xforward_hosts=127.0.0.0/8 -o mynetworks=127.0.0.0/8 -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_data_restrictions= Make this addition to Postfix master.cf and reload Postfix. Only after you've done that and Postfix is listening on the loopback interface port 8000, make the changes to mm_cfg.py and restart Mailman. -- Mark Sapiro <m...@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -- So many immigrant groups have swept through our town that Brooklyn, like Atlantis, reaches mythological proportions in the mind of the world - RI Safir 1998 http://www.mrbrklyn.com DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002 http://www.nylxs.com - Leadership Development in Free Software http://www2.mrbrklyn.com/resources - Unpublished Archive http://www.coinhangout.com - coins! http://www.brooklyn-living.com Being so tracked is for FARM ANIMALS and and extermination camps, but incompatible with living as a free human being. -RI Safir 2013
