On Mon, Feb 29, 2016 at 09:41:39AM +0100, Christian Kivalo wrote: > On 2016-02-29 08:43, Ruben Safir wrote: > >Can I have input about this recommendation? Is there unreasonable > >security > >risk? I think not, but I want to double check > > That looks sensible. That comes near to the configuration i use for > my mailman installation. > > You should not do rbl checks on the mailman -> postfix reinject. > Do that when you accept mail from external sources via port 25 in > e.g. postscreen and afterwards. > > To have mailman reinject on an extra port on localhost is how it > should be done.
Thanks! > >On 02/28/2016 10:51 PM, Ruben Safir wrote: > >>On 02/29/2016 01:34 AM, Mark Sapiro wrote: > >>>I think we can fix your issue fairly simply. > >>> > >>>Please, as I asked in my reply at > >>><https://mail.python.org/pipermail/mailman-users/2016-February/080524.html>, > >>>post the output from 'postconf -n' and the contents of mm_cfg.py. > >> > >> > >>Sorry, I got mixed up. Its just probably the frustration. Everyone > >>uses mailman, I don't know why I'm so stupid > >> > >> > > > >>smtpd_recipient_restrictions = check_client_access > >>hash:/etc/postfix/helo_client_exceptions check_sender_access > >>hash:/etc/postfix/sender_checks, reject_invalid_hostname, > >>reject_non_fqdn_hostname, reject_non_fqdn_sender, > >>reject_non_fqdn_recipient, reject_unknown_sender_domain, > >>reject_unknown_recipient_domain, permit_mynetworks, > >>reject_unauth_destination, permit_mynetworks, > >>reject_unauth_destination, > >>reject_invalid_hostname, reject_non_fqdn_hostname, > >>reject_non_fqdn_sender, reject_non_fqdn_recipient, > >>reject_unknown_sender_domain, reject_unknown_recipient_domain, > >>reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net > >>reject_rbl_client cbl.abuseat.org, permit > > > > > >This is almost certainly your problem. All those checks take time, > >especially if DNS is slow. If you send a message from a client and > >Postfix takes 5 seconds to accept it, it's no big deal. If Mailman > >sends > >to 10 or 20 recipients, and it takes Postfix a minute to respond, it > >still may be no big deal unless another two posts arrive in that minute > >, and so on until you have a big backlog. > > > >I suggest that if you really want all those checks, that you set up a > >separate port for Mailman to send to without all those rbl lookups and > >recipient domain lookups. See below. > > > > > >>vim /usr/lib/mailman/Mailman/mm_cfg.py > >> > >>############################################### > >># Here's where we get the distributed defaults. > >> > >>from Defaults import * > >> > >>################################################## > >># Put YOUR site-specific settings below this line. > >>DEFAULT_URL_PATTERN = 'http://%s/mailman/' > >>DEFAULT_NNTP_HOST = 'www.mrbrklyn.com' > >>DEFAULT_EMAIL_HOST = 'nylxs.com' > >>DEFAULT_URL_HOST = 'www.nylxs.com' > >>MTA = 'Postfix' > >>POSTFIX_ALIAS_CMD = '/usr/sbin/postalias' > >>POSTFIX_MAP_CMD = '/usr/sbin/postmap' > >>DELIVERY_MODULE = 'SMTPDirect' > >>SMTPHOST = 'mrbrklyn.com' > >>SMTPPORT = '25' > > > > > >Here's where I'm suggesting changes. Pick a port, say 8000, although it > >could be anything that doesn't conflict. > > > >Then change the above to > > > >SMTPHOST = '127.0.0.1' > >SMTPPORT = 8000 > > > >(don't quote the port - it's a number, not a string) > > > >Also, while you're at it I suggest adding > > > >VERP_PASSWORD_REMINDERS = Yes > >VERP_PERSONALIZED_DELIVERIES = Yes > >VERP_DELIVERY_INTERVAL = 1 > > > >for more reliable bounce processing. > > > >But, see below for changes to Postfix master.cf that you must make > >first. > > > >>add_virtualhost(DEFAULT_URL_HOST, DEFAULT_EMAIL_HOST) > >>add_virtualhost('lists.mrbrklyn.com', 'mrbrklyn.com') > >>IMAGE_LOGOS = '/mailmanicons/' > >> > >> > >> > >>There is another one in apache: > >>I don't know if it is being used. > >>vim /usr/local/apache/conf/mailman/Mailman/mm_cfg.py > > > >No, that shouldn't be used. > > > > > >In Postfix master.cf add the following stanza > > > >127.0.0.1:8000 inet n - - - - smtpd > > -o smtpd_authorized_xforward_hosts=127.0.0.0/8 > > -o mynetworks=127.0.0.0/8 > > -o smtpd_recipient_restrictions=permit_mynetworks,reject > > -o smtpd_client_restrictions= > > -o smtpd_helo_restrictions= > > -o smtpd_sender_restrictions= > > -o smtpd_data_restrictions= > > > >Make this addition to Postfix master.cf and reload Postfix. Only after > >you've done that and Postfix is listening on the loopback > >interface port > >8000, make the changes to mm_cfg.py and restart Mailman. > > > >-- > >Mark Sapiro <m...@msapiro.net> The highway is for gamblers, > >San Francisco Bay Area, California better use your sense - B. Dylan > > > > > >-- > >So many immigrant groups have swept through our town > >that Brooklyn, like Atlantis, reaches mythological > >proportions in the mind of the world - RI Safir 1998 > >http://www.mrbrklyn.com > > > >DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002 > >http://www.nylxs.com - Leadership Development in Free Software > >http://www2.mrbrklyn.com/resources - Unpublished Archive > >http://www.coinhangout.com - coins! > >http://www.brooklyn-living.com > > > >Being so tracked is for FARM ANIMALS and and extermination camps, > >but incompatible with living as a free human being. -RI Safir 2013 > > -- > Christian Kivalo -- So many immigrant groups have swept through our town that Brooklyn, like Atlantis, reaches mythological proportions in the mind of the world - RI Safir 1998 http://www.mrbrklyn.com DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002 http://www.nylxs.com - Leadership Development in Free Software http://www2.mrbrklyn.com/resources - Unpublished Archive http://www.coinhangout.com - coins! http://www.brooklyn-living.com Being so tracked is for FARM ANIMALS and and extermination camps, but incompatible with living as a free human being. -RI Safir 2013
