Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Allow authenticated relay for Postfix
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2  
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
dageyra
Apprentice
Apprentice


Joined: 22 Feb 2005
Posts: 194
Location: Terre Haute, IN

PostPosted: Sun Mar 13, 2011 8:13 am    Post subject: Reply with quote

Incredible, you probably won't believe this, but I figured it out.

Code:
relayhost = mail.domain.com:587


I looked at this line and noticed that in the saslpassword file I had [mail.domain.com]:587. I have no idea what the brackets are for, but by including them in the main.cf, everything worked!

The new line looked like this:

Code:
relayhost = [mail.domain.com]:587


I will see about re-adding TLS for security reasons, but do you have other thoughts on the use of grey listing?
Back to top
View user's profile Send private message
cach0rr0
Bodhisattva
Bodhisattva


Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas

PostPosted: Sun Mar 13, 2011 8:45 am    Post subject: Reply with quote

dageyra wrote:
I have no idea what the brackets are for, but by including them in the main.cf, everything worked!


Ah right. So those are basically:

mail.domain.com:587 == do an MX lookup for 'mail.domain.com', and send to whichever MX is returned
[mail.domain.com]:587 == just send to mail.domain.com on port 587 dammit! Screw the MX lookup, just send it, don't question me, I am the configurator.

(brackets disable MX lookups)

dageyra wrote:
do you have other thoughts on the use of grey listing?


Just in general? None that are positive. That's fuel for a rant unfortunately. Some implementations are better than others (policyd v1 has a fairly intelligent configuration, should you choose to make one), but nowadays I'd say they block off as much (if not more) legitimate mail as they do spam, and introduce delays unnecessarily just for the sake of introducing delays.

Nearly every piece of spam nowadays is sent via spambot, and nearly every one I've analyzed (which, is a large proportion of what I do in my professional career)has retry code, easily defeating greylisting.
Talked my old company out of instituting greylisting in their software (we were a vendor), fast forward a few years later, at a new company whose product had greylisting by default - one of the first things I did was rip that out. For whatever that's worth.

You're not really defeating the bots. You're delaying mail until they've waited long enough to have an authenticated triplet (and with most implementations, thankfully, you can cache this positive result and not greylist that host for $timeperiod). There's just so little gain. And then you consider, even though there shouldn't be, there are still huge chunks of, for example, web mailer implementations out there that don't use their system's sendmail() function, and instead try to crudely code their own SMTP stack. Crudely doing so without any concept of a queue, so any message that isn't accepted on the first try is just junked into the bit bucket. Also not at all uncommon for a greylisting implementation to blacklist a host after X number of failed attempts in too rapid succession - only wait, you have no way of advertising your acceptable retry time to another host, so they may keep retrying every 120 seconds, when your threshold is 300 seconds.

Coupling the risks with the marginal to nil benefits, I can't recommend greylisting for anyone.

Worried about spam, looking for a freebie method? RBL's aren't as crap as some paranoid people might like to say. Some people just shit a brick over them, shit a brick over the idea of letting a third party dictate your filtering, but fact of the matter is, they work, and they work well. Especially so, if you're being selective with the RBL's you choose - look for a sane listing policy, a sane delisting policy, and your risks of missing legitimate mail are exceedingly low.

I'm confident enough in the RBL's I've chosen for my system, I don't even let them connect, don't wait on the RCPT command to issue the 550:

Code:

smtpd_delay_reject = no
smtpd_client_restrictions =
        permit_mynetworks
        reject_rbl_client ix.dnsbl.manitu.net
        reject_rbl_client cbl.abuseat.org
        reject_rbl_client b.barracudacentral.org
        reject_rbl_client new.spam.dnsbl.sorbs.net


Is that all I use? No. When I was still using exclusively my own filtering, I also had amavisd-new in the picture, plugged into spamassassin and clamav. Didn't use the SA rules, just wrote my own, copied over some of the stuff from work (required a slight formatting change, but it wasn't too difficult). Of course, now I use my company's filtering, so I've dropped amavis/clam/SA to save myself a bit of memory. But when I *was* running that setup, my catch rate was very, very acceptable.
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Goto page Previous  1, 2
Page 2 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum