On 5/26/2010 8:21 PM, LuKreme wrote:
On 26-May-2010, at 17:01, Noel Jones wrote:
On 5/26/2010 5:34 PM, LuKreme wrote:
postscreen is currently available in the postfix 2.8 snapshots. Instructions
for activating postscreen are included in the RELEASE_NOTES. eg.
http://postfix.energybeam.co
* Nataraj :
> How does rate limiting work in conjunction with postscreen?
Just like without postscreen
--
Ralf Hildebrandt
Geschäftsbereich IT | Abteilung Netzwerk
Charité - Universitätsmedizin Berlin
Campus Benjamin Franklin
Hindenburgdamm 30 | D-12203 Berlin
Tel. +49 30 450 570 155
* LuKreme :
> It's in 2.7 only, yes? I'm still running 2.6.
It's in the snapshots
> Just add:
>
> postscreen_dnsbl_sites zen.spamhous.org
>
> To a 2.7 config?
No, you really have to read the README, since there are changes to
master.cf as well!
--
Ralf Hildebrandt
Geschäftsbereich IT | A
Nataraj put forth on 5/26/2010 10:06 PM:
> How does rate limiting work in conjunction with postscreen? Can the
> various rate limits be applied to postcreen or would rate limiting no
> longer be necessary. I run in a vmware virtual machine which used to
> fall on its knees from both bot and snow
Stan Hoeppner wrote:
brian put forth on 5/26/2010 8:28 PM:
On 10-05-26 09:03 PM, Stan Hoeppner wrote:
brian put forth on 5/26/2010 1:53 PM:
FWIW, aside from aliases for the usual postmaster, abuse, and webmaster
addresses, this domain has just 2 actual addresses to be maintaine
brian put forth on 5/26/2010 8:28 PM:
> On 10-05-26 09:03 PM, Stan Hoeppner wrote:
>> brian put forth on 5/26/2010 1:53 PM:
>>
>>> FWIW, aside from aliases for the usual postmaster, abuse, and webmaster
>>> addresses, this domain has just 2 actual addresses to be maintained. So,
>>> might a whiteli
On 10-05-26 06:27 PM, LuKreme wrote:
On 26-May-2010, at 14:12, brian wrote:
I'll give all that a try. Does this order seem alright?
No, not really.
smtpd_recipient_restrictions = permit_mynetworks,
reject_unlisted_recipient, reject_invalid_hostname,
reject_non_fqdn_hostname, reject_non_fqdn
On 10-05-26 09:03 PM, Stan Hoeppner wrote:
brian put forth on 5/26/2010 1:53 PM:
FWIW, aside from aliases for the usual postmaster, abuse, and webmaster
addresses, this domain has just 2 actual addresses to be maintained. So,
might a whitelist approach be the way to go? Or, is this something i
On 26-May-2010, at 17:01, Noel Jones wrote:
>
> On 5/26/2010 5:34 PM, LuKreme wrote:
>> On 26-May-2010, at 14:28, Matt Hayes wrote:
>>>
>>> postscreen doesn't require you to use RBL's during its checks, however,
>>> you have the ability to do so. The nice thing about doing RBL checks in
>>> post
Noel Jones put forth on 5/26/2010 3:56 PM:
> Use ps or top to see how much RAM each smtpd uses, guesstimate from
> there. If system swaps, reduce.
> Postscreen will help with this, since a single postscreen process can
> handle thousands of connections.
To lower memory consumption on your VPS, y
brian put forth on 5/26/2010 1:53 PM:
> FWIW, aside from aliases for the usual postmaster, abuse, and webmaster
> addresses, this domain has just 2 actual addresses to be maintained. So,
> might a whitelist approach be the way to go? Or, is this something i
> should leave to iptables/fail2ban?
Ca
On 5/26/2010 5:34 PM, LuKreme wrote:
On 26-May-2010, at 14:28, Matt Hayes wrote:
postscreen doesn't require you to use RBL's during its checks, however,
you have the ability to do so. The nice thing about doing RBL checks in
postscreen is it stops connections from getting to the SMTPD, thus
re
On 26-May-2010, at 14:28, Matt Hayes wrote:
>
> postscreen doesn't require you to use RBL's during its checks, however,
> you have the ability to do so. The nice thing about doing RBL checks in
> postscreen is it stops connections from getting to the SMTPD, thus
> reducing system load.
Ah. Need
On 26-May-2010, at 14:12, brian wrote:
>
> I'll give all that a try. Does this order seem alright?
No, not really.
> smtpd_recipient_restrictions =
> permit_mynetworks,
> reject_unlisted_recipient,
> reject_invalid_hostname,
> reject_non_fqdn_hostname,
> reject_non_fqdn_recipient,
> reject
Nataraj wrote:
brian wrote:
On 10-05-26 03:55 PM, Noel Jones wrote:
Some random suggestions...
Use a bogus MX record for the old domain if that domain has no valid
mail recipients. Of course, some bots will connect to your A record
anyway...
OK, I like the sound of that. Per your other emai
On 5/26/2010 3:12 PM, brian wrote:
On 10-05-26 03:55 PM, Noel Jones wrote:
Some random suggestions...
Use a bogus MX record for the old domain if that domain has no valid
mail recipients. Of course, some bots will connect to your A record
anyway...
OK, I like the sound of that. Per your othe
brian wrote:
On 10-05-26 03:55 PM, Noel Jones wrote:
Some random suggestions...
Use a bogus MX record for the old domain if that domain has no valid
mail recipients. Of course, some bots will connect to your A record
anyway...
OK, I like the sound of that. Per your other email, I think I did
On 5/26/2010 4:32 PM, Ralf Hildebrandt wrote:
> * Matt Hayes :
>
>> postscreen doesn't require you to use RBL's during its checks,
>
> Ah yes, the earlytalking and all.
>
>> however, you have the ability to do so. The nice thing about doing RBL
>> checks in postscreen is it stops connections f
* Matt Hayes :
> postscreen doesn't require you to use RBL's during its checks,
Ah yes, the earlytalking and all.
> however, you have the ability to do so. The nice thing about doing RBL
> checks in postscreen is it stops connections from getting to the SMTPD,
> thus reducing system load.
Tha
On 5/26/2010 4:21 PM, Ralf Hildebrandt wrote:
> * brian :
>> On 10-05-26 03:31 PM, Matt Hayes wrote:
>>>
>>> I wonder if using something like postscreen from the 2.8-snapshots would
>>> help to curtail some of the resource usage.
>>>
>>
>> Thanks, I'll check it out. However, I'd feel more optimisti
Jan-Kaspar M?nnich:
> On 26.05.2010, at 21:01, Matt Hayes wrote:
>
> >> Is there
> >> something more I can do to mitigate the stress on the server?
> >
> > You could look into using RBLs such as spamhaus etc.
>
> In general RBLs work fine against these dictionary attacks. But
> in this special c
* "Jan-Kaspar Münnich" :
> In general RBLs work fine against these dictionary attacks. But in this
> special case where not one address exists at the targeted domain, I
> doubt that RBLs would decrease server load, since that would add one
> more DNS lookup. I wouldn't see a big problem there, eve
* brian :
> On 10-05-26 03:31 PM, Matt Hayes wrote:
> >
> >I wonder if using something like postscreen from the 2.8-snapshots would
> >help to curtail some of the resource usage.
> >
>
> Thanks, I'll check it out. However, I'd feel more optimistic about it
> if it was named prescreen ;-)
It's pos
* brian :
> Correct. The SPAM problem is not directed at legitimate accounts
> (yet). All of these rejections are for fictitious accounts under the
> .com domain. I don't want to accept anything at all for that domain.
> However, I must keep the domain pointed at this new server in order
> to catc
On 10-05-26 03:55 PM, Noel Jones wrote:
Some random suggestions...
Use a bogus MX record for the old domain if that domain has no valid
mail recipients. Of course, some bots will connect to your A record
anyway...
OK, I like the sound of that. Per your other email, I think I did, a
long time
On 5/26/2010 2:50 PM, brian wrote:
On 10-05-26 03:43 PM, Ansgar Wiechers wrote:
On 2010-05-26 brian wrote:
On 10-05-26 03:24 PM, Ansgar Wiechers wrote:
On 2010-05-26 Ralf Hildebrandt wrote:
Shouldn'T you use at least ONE RBL?
Probably wouldn't hurt, but unless he's trying to fight off spam
On 5/26/2010 2:34 PM, brian wrote:
On 10-05-26 03:24 PM, Ansgar Wiechers wrote:
On 2010-05-26 Ralf Hildebrandt wrote:
Shouldn'T you use at least ONE RBL?
Probably wouldn't hurt, but unless he's trying to fight off spam sent to
valid users (which according to his description doesn't seem to be
While you're looking into a way to drop these connections as quickly
as possible I would turn down the number of SMTPD processes on your
server. That should give your server a break. I'd start at 50 and
tune from there.
change your master.cf to something like:
#
On 10-05-26 03:43 PM, Ansgar Wiechers wrote:
On 2010-05-26 brian wrote:
On 10-05-26 03:24 PM, Ansgar Wiechers wrote:
On 2010-05-26 Ralf Hildebrandt wrote:
Shouldn'T you use at least ONE RBL?
Probably wouldn't hurt, but unless he's trying to fight off spam sent
to valid users (which according
On 2010-05-26 brian wrote:
> On 10-05-26 03:24 PM, Ansgar Wiechers wrote:
>> On 2010-05-26 Ralf Hildebrandt wrote:
>>> Shouldn'T you use at least ONE RBL?
>>
>> Probably wouldn't hurt, but unless he's trying to fight off spam sent
>> to valid users (which according to his description doesn't seem t
On 5/26/2010 3:35 PM, brian wrote:
> On 10-05-26 03:31 PM, Matt Hayes wrote:
>>
>> I wonder if using something like postscreen from the 2.8-snapshots would
>> help to curtail some of the resource usage.
>>
>
> Thanks, I'll check it out. However, I'd feel more optimistic about it if
> it was named
On 10-05-26 03:31 PM, Matt Hayes wrote:
I wonder if using something like postscreen from the 2.8-snapshots would
help to curtail some of the resource usage.
Thanks, I'll check it out. However, I'd feel more optimistic about it if
it was named prescreen ;-)
On 10-05-26 03:24 PM, Ansgar Wiechers wrote:
On 2010-05-26 Ralf Hildebrandt wrote:
Shouldn'T you use at least ONE RBL?
Probably wouldn't hurt, but unless he's trying to fight off spam sent to
valid users (which according to his description doesn't seem to be the
case) he could go without as we
On 2010-05-26 brian wrote:
> On 10-05-26 03:21 PM, Ansgar Wiechers wrote:
>> The connections are being rejected, so unless your server resources
>> are being exhausted by the delivery attempts I don't think you have
>> to worry about it.
>
> As mentioned in another msg, I neglected to mention that
On 5/26/2010 3:29 PM, brian wrote:
> On 10-05-26 03:21 PM, Ansgar Wiechers wrote:
>>
>> The connections are being rejected, so unless your server resources are
>> being exhausted by the delivery attempts I don't think you have to worry
>> about it.
>
> As mentioned in another msg, I neglected to m
On 10-05-26 03:21 PM, Ansgar Wiechers wrote:
The connections are being rejected, so unless your server resources are
being exhausted by the delivery attempts I don't think you have to worry
about it.
As mentioned in another msg, I neglected to mention that postfix is
already being put into st
On 10-05-26 03:03 PM, Ralf Hildebrandt wrote:
* brian:
Which domain is the old one, which is the new one?
"One change I suggested was to utilise a .org domain rather than .com"
Shouldn'T you use at least ONE RBL?
E.g.:
smtpd_recipient_restrictions =
permit_mynetworks,
reject_unauth_de
On 2010-05-26 Ralf Hildebrandt wrote:
> Shouldn'T you use at least ONE RBL?
Probably wouldn't hurt, but unless he's trying to fight off spam sent to
valid users (which according to his description doesn't seem to be the
case) he could go without as well.
Regards
Ansgar Wiechers
--
"Abstractions
On 26.05.2010, at 21:01, Matt Hayes wrote:
>> Is there
>> something more I can do to mitigate the stress on the server?
>
> You could look into using RBLs such as spamhaus etc.
In general RBLs work fine against these dictionary attacks. But in this special
case where not one address exists at t
On 2010-05-26 brian wrote:
> I've a hunch that the following problem is not something that can be
> configured away through postfix but, as I'm well aware that my
> config-fu is not the strongest, I'd like any advice more experience
> among you might have. I'm sure this isn't a rare problem.
>
> I
* brian :
> organisation). The old domain points to this new server in order to
> redirect web traffic. AFAIK, there were never any email addresses
> used under the old domain. But, now I've set up postfix, I'm seeing
> thousands of failed attempts to send to various fictitious DOMAIN.com
> addres
On 5/26/2010 2:53 PM, brian wrote:
> I've a hunch that the following problem is not something that can be
> configured away through postfix but, as I'm well aware that my config-fu
> is not the strongest, I'd like any advice more experience among you
> might have. I'm sure this isn't a rare problem
I've a hunch that the following problem is not something that can be
configured away through postfix but, as I'm well aware that my config-fu
is not the strongest, I'd like any advice more experience among you
might have. I'm sure this isn't a rare problem.
I recently began supporting the webs
43 matches
Mail list logo
