| 1 |
On 05/11/2015 04:08 PM, Robin H. Johnson wrote: |
| 2 |
> By drop, I will clarify that they should ideally be rejected at SMTP |
| 3 |
> time, not silently dropped. |
| 4 |
> |
| 5 |
|
| 6 |
I believe those logs show a rejection after the message has been |
| 7 |
accepted initially (if I'm wrong, you can ignore the rest of this). This |
| 8 |
is better in a way, but causes another problem. |
| 9 |
|
| 10 |
Obviously it's better than a silent discard in that, in the case of a |
| 11 |
false positive, the sender will be notified of the mistake. But, it |
| 12 |
creates backscatter[1] which can get us blacklisted or be used as part |
| 13 |
of a DDoS. It's also just plain rude to the innocent people we're |
| 14 |
bombarding with rejections (for mail they never sent). |
| 15 |
|
| 16 |
That happens because we, |
| 17 |
|
| 18 |
1. Accept the message (postfix) |
| 19 |
2. Queue the message (postfix) |
| 20 |
3. Client disconnects (postfix) |
| 21 |
4. Scan the message (amavis) |
| 22 |
5. Decide to reject the message (amavis) |
| 23 |
6. Alert the sender (postfix) |
| 24 |
|
| 25 |
This saves resources because there's a queue waiting to get into amavis, |
| 26 |
and scanning can take a while. As long as we scan at a decent *average* |
| 27 |
speed, the queue will eventually empty. |
| 28 |
|
| 29 |
But at step #4, the original client is long gone, so you can't just feed |
| 30 |
him a 5xx error. There's another "pre-queue" mode for amavis which lets |
| 31 |
us reject right away. If you configure e.g. |
| 32 |
|
| 33 |
smtpd_proxy_filter = localhost:10024 # amavis goes here |
| 34 |
|
| 35 |
in Postfix's main.cf, then amavis will scan the message as its being |
| 36 |
received. Then the D_REJECT will actually just say "5xx: get lost" to |
| 37 |
the client while he's still sending the message. Real senders will get |
| 38 |
an NDR from their mail server. And if a spammer uses a forged address, |
| 39 |
it doesn't matter -- the spammer gets the rejection, not the poor guy |
| 40 |
whose email he used. It looks something like, |
| 41 |
|
| 42 |
1. Client connects |
| 43 |
2. Postfix proxies the message through amavis |
| 44 |
3. Amavis scans the message and reports its verdict to postfix |
| 45 |
4. Postfix reports the good/bad news to the client |
| 46 |
5. Message is queued (or not) |
| 47 |
6. Client disconnects |
| 48 |
|
| 49 |
The downside is that the "pre-queue" mode needs a lot more resources. |
| 50 |
When there's no "going to amavis" queue, you need enough resources |
| 51 |
(amavis processes, memory...) around to be able to scan all of your |
| 52 |
incoming mail at once. Otherwise you'll run out of resources and clients |
| 53 |
will start seeing 4xx errors (this isn't that bad if it only happens |
| 54 |
under rare circumstances). |
| 55 |
|
| 56 |
FWIW we do this for a few thousand accounts on a Proliant DL360 G5. I'm |
| 57 |
happy to share any of the configuration. |
| 58 |
|
| 59 |
|
| 60 |
|
| 61 |
[1] http://en.wikipedia.org/wiki/Backscatter_%28email%29 |
Archives