----- Message from Simon Wilson <si...@simonandkate.net> ---------
Date: Mon, 01 May 2017 18:43:41 +1000
From: Simon Wilson <si...@simonandkate.net>
Reply-To: si...@simonandkate.net
Subject: Optimising new system and postscreen questions
To: Postfix users <postfix-users@postfix.org>
On my new Postfix 2.10 system incoming mail is slow to process
(about 15 seconds end to end), and I think it is mainly because DNS
queries are slowing things down.
The server runs local caching DNS BIND, so it's as quick as I can
get it on the slow Internet connection we are on.
At the moment it seems like every step along the inbound email
process is doing separate DNSBL lookups, and I'm wondering if this
can be streamlined.
Postscreen runs first and takes pretty much 6 seconds every time:
May 1 18:19:20 emp07 postfix/postscreen[28420]: CONNECT from
[64.20.227.131]:57512 to [192.168.1.235]:25
May 1 18:19:26 emp07 postfix/postscreen[28420]: PASS NEW
[64.20.227.131]:57512
Postscreen is using (threshold 3):
zen.spamhaus.org*3
bl.mailspike.net*2
b.barracudacentral.org*2
bl.spameatingmonkey.net
bl.spamcop.net
dnsbl.sorbs.net
hostkarma.junkemailfilter.com=127.0.0.2
hostkarma.junkemailfilter.com=127.0.0.4
hostkarma.junkemailfilter.com=127.0.1.2
psbl.surriel.com
swl.spamhaus.org*-4
list.dnswl.org=127.0.[2..15].0*-2
list.dnswl.org=127.0.[2..15].1*-3
list.dnswl.org=127.0.[2..15].[2..3]*-4
wl.mailspike.net=127.0.0.[17;18]*-1
wl.mailspike.net=127.0.0.[19;20]*-2
hostkarma.junkemailfilter.com=127.0.0.1*-1
(Yes I've checked them all, including 'registering' where necessary
for some of those).
Some of them register response in the logs - are the rest timing out?
May 1 18:38:30 emp07 postfix/postscreen[29413]: CONNECT from
[64.20.227.134]:60378 to [192.168.1.235]:25
May 1 18:38:30 emp07 postfix/dnsblog[29423]: addr 64.20.227.134
listed by domain hostkarma.junkemailfilter.com as 127.0.0.1
May 1 18:38:30 emp07 postfix/dnsblog[29423]: addr 64.20.227.134
listed by domain hostkarma.junkemailfilter.com as 127.0.1.1
May 1 18:38:30 emp07 postfix/dnsblog[29418]: addr 64.20.227.134
listed by domain list.dnswl.org as 127.0.3.1
May 1 18:38:31 emp07 postfix/dnsblog[29421]: addr 64.20.227.134
listed by domain dnsbl.sorbs.net as 127.0.0.7
May 1 18:38:36 emp07 postfix/postscreen[29413]: PASS NEW
[64.20.227.134]:60378
Then Postfix smtpd takes 3 to 4 seconds to get to 'cleanup' stage,
including an SPF-policy lookup and a reject_rbl_client
zen.spamhaus.org line.
Then amavisd-new runs, and spamassassin does more BL lookups,
including on URIs in the email (3 or 4 seconds there too).
End result is 15 seconds or so end to end before it gets delivered.
Most of the time this is fine, the server is low volume. However it
got me thinking about all the separate DNS lookups...
1. Would postscreen lose much effectiveness by taking some of the
lookups out?
2. Is the reject_rbl_client zen.spamhaus.org doing anything when
postscreen has already done a zen.spamhaus lookup?
3. Any other ways to speed it up, or should I accept the trade-off
between speed and accuracy of result?
4. Is it worth running postscreen in more detailed (verbose?) mode
to see what it is doing?
Simon.
I just realised postscreen_greet_wait (default: normal: 6s, overload:
2s) will be the postscreen 6 seconds, as I have not over-ridden the
default.
So that answers question 4... it's done the lookups, printed the
results it got, and is now doing the postscren_greet_wait.
Simon
--
Simon Wilson
M: 0400 12 11 16
