spf-discuss
[Top] [All Lists]

Re: [spf-discuss] SPF/postfix iowait > 90%

2006-10-25 09:06:56

The caching server will use resources as well.  You may be better off
by putting it on a separate box, connected by a fast network.



I alredy tried that, i have another dedicated DNS server and initialy i was forwarding everything to this server with the same results.

Then look at the mail process:
- don't do SPF lookups if you can reject a message for other reasons
  such as bad helo, non-existing receiver, etc.
- if an answer is not available from the cache, start greylisting
  and thus terminate the connection.  In parallel, do ask for the
  SPF record (which won't be used at that time).
  When the client is trying another time, your cache will have the
  spf record and you get an answer fast.
- determine a sane number of processes that can run in parallel.
  If this number is reached, for any reason including but not
  limited to DNS lookups, refuse to accept more connections.

Others, please correct my mistakes and/or refine my suggestions.
I know this is a difficult topic.



This is my postfix configuration (regarding antispam):

cut here ---

smtpd_helo_required = yes
smtpd_delay_reject = yes
disable_vrfy_command = yes
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, reject_non_fqdn_hostname

smtpd_recipient_restrictions =
  permit_mynetworks,
  reject_non_fqdn_sender,
  reject_invalid_hostname,
  reject_non_fqdn_recipient,
  reject_unauth_pipelining,
  reject_unknown_sender_domain,
  reject_unknown_recipient_domain,
  reject_rbl_client  l1.spews.dnsbl.sorbs.net,
  reject_rbl_client  http.dnsbl.sorbs.net,
  reject_rbl_client  socks.dnsbl.sorbs.net,
  reject_rbl_client  misc.dnsbl.sorbs.net,
  reject_rbl_client  smtp.dnsbl.sorbs.net,
  reject_rbl_client  web.dnsbl.sorbs.net,
  reject_rbl_client  new.spam.dnsbl.sorbs.net,
  reject_rbl_client  zombie.dnsbl.sorbs.net,
  reject_rbl_client  nomail.rhsbl.sorbs.net,
  reject_rbl_client  badconf.rhsbl.sorbs.net,
  reject_rbl_client relays.ordb.org,
  reject_rbl_client sbl-xbl.spamhaus.org,
  reject_rbl_client cbl.abuseat.org,
  reject_rbl_client bl.spamcop.net,
  reject_unauth_destination,
  reject_unlisted_recipient,
  check_recipient_access hash:/etc/postfix/access,
  check_policy_service inet:127.0.0.1:10023,
  check_policy_service unix:private/spf_policy,
  permit_sasl_authenticated,
  permit_auth_destination,
  permit


cut here---

As you can see, tons of restrictions, helo restrictions, rbl's, greylisting (port 10023) and finally after all that, SPF.

==================================
Adrian de los Santos

-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GCS d- s: a C++++ UL+++++ UC++++ US+++ UX++++ UB+++ P++++ L+++++++++ E--- W+++ N++ U++ K w-- O- M++ V PS+ PE Y+ PGP t+ 5 X R tv++ b++ DI+ + D++ G++ e+++ h+ r++ z+
------END GEEK CODE BLOCK---



-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription, please go to http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
<Prev in Thread] Current Thread [Next in Thread>