On my new Postfix 2.10 system incoming mail is slow to process (about
15 seconds end to end), and I think it is mainly because DNS queries
are slowing things down.
The server runs local caching DNS BIND, so it's as quick as I can get
it on the slow Internet connection we are on.
At the moment it seems like every step along the inbound email process
is doing separate DNSBL lookups, and I'm wondering if this can be
streamlined.
Postscreen runs first and takes pretty much 6 seconds every time:
May 1 18:19:20 emp07 postfix/postscreen[28420]: CONNECT from
[64.20.227.131]:57512 to [192.168.1.235]:25
May 1 18:19:26 emp07 postfix/postscreen[28420]: PASS NEW
[64.20.227.131]:57512
Postscreen is using (threshold 3):
zen.spamhaus.org*3
bl.mailspike.net*2
b.barracudacentral.org*2
bl.spameatingmonkey.net
bl.spamcop.net
dnsbl.sorbs.net
hostkarma.junkemailfilter.com=127.0.0.2
hostkarma.junkemailfilter.com=127.0.0.4
hostkarma.junkemailfilter.com=127.0.1.2
psbl.surriel.com
swl.spamhaus.org*-4
list.dnswl.org=127.0.[2..15].0*-2
list.dnswl.org=127.0.[2..15].1*-3
list.dnswl.org=127.0.[2..15].[2..3]*-4
wl.mailspike.net=127.0.0.[17;18]*-1
wl.mailspike.net=127.0.0.[19;20]*-2
hostkarma.junkemailfilter.com=127.0.0.1*-1
(Yes I've checked them all, including 'registering' where necessary
for some of those).
Some of them register response in the logs - are the rest timing out?
May 1 18:38:30 emp07 postfix/postscreen[29413]: CONNECT from
[64.20.227.134]:60378 to [192.168.1.235]:25
May 1 18:38:30 emp07 postfix/dnsblog[29423]: addr 64.20.227.134
listed by domain hostkarma.junkemailfilter.com as 127.0.0.1
May 1 18:38:30 emp07 postfix/dnsblog[29423]: addr 64.20.227.134
listed by domain hostkarma.junkemailfilter.com as 127.0.1.1
May 1 18:38:30 emp07 postfix/dnsblog[29418]: addr 64.20.227.134
listed by domain list.dnswl.org as 127.0.3.1
May 1 18:38:31 emp07 postfix/dnsblog[29421]: addr 64.20.227.134
listed by domain dnsbl.sorbs.net as 127.0.0.7
May 1 18:38:36 emp07 postfix/postscreen[29413]: PASS NEW
[64.20.227.134]:60378
Then Postfix smtpd takes 3 to 4 seconds to get to 'cleanup' stage,
including an SPF-policy lookup and a reject_rbl_client
zen.spamhaus.org line.
Then amavisd-new runs, and spamassassin does more BL lookups,
including on URIs in the email (3 or 4 seconds there too).
End result is 15 seconds or so end to end before it gets delivered.
Most of the time this is fine, the server is low volume. However it
got me thinking about all the separate DNS lookups...
1. Would postscreen lose much effectiveness by taking some of the lookups out?
2. Is the reject_rbl_client zen.spamhaus.org doing anything when
postscreen has already done a zen.spamhaus lookup?
3. Any other ways to speed it up, or should I accept the trade-off
between speed and accuracy of result?
4. Is it worth running postscreen in more detailed (verbose?) mode to
see what it is doing?
Simon.
--
Simon Wilson
M: 0400 12 11 16
