1

Topic: Postfix: address_verify_map / smtpd_proxy_filter

Hi

We just installed iredmail in test environment. What I have seen so far are two issues which me might discuss:

- If we use this setup to relay email for a customer, we do not have a database of their valid email addresses, so we just relay everything. Postfix has a feature called "address_verify_map". I would suggest to use this.. any other opinions?

- Content filtering with amavis is right now done with the statement "content_filter = smtp-amavis:[127.0.0.1]:10024" in main.cf. This may lead to backscatter since you have to accept mail before checking it. Postfix has a feature called "smtpd_proxy_filter" (to set in master.cf) like that:

smtp      inet  n       -       n       -       20      smtpd
   -o smtpd_proxy_filter=127.0.0.1:10024
   -o smtpd_proxy_timeout=180
   -o smtpd_client_connection_count_limit=10

This holds the connection open and rejects mail if SpamAssassin gets a negative scan result...

Just my 5 cents..

-Reto

2

Re: Postfix: address_verify_map / smtpd_proxy_filter

Please correct me if i was wrong:

borki wrote:

- If we use this setup to relay email for a customer, we do not have a database of their valid email addresses, so we just relay everything. Postfix has a feature called "address_verify_map". I would suggest to use this.. any other opinions?

If postfix can't verify relay recipients, what is address_verify_map used for?

- Content filtering with amavis is right now done with the statement "content_filter = smtp-amavis:[127.0.0.1]:10024" in main.cf. This may lead to backscatter since you have to accept mail before checking it. Postfix has a feature called "smtpd_proxy_filter" (to set in master.cf) like that:
smtp      inet  n       -       n       -       20      smtpd
   -o smtpd_proxy_filter=127.0.0.1:10024
   -o smtpd_proxy_timeout=180
   -o smtpd_client_connection_count_limit=10
This holds the connection open and rejects mail if SpamAssassin gets a negative scan result...

If we use smtpd_proxy_filter to inject incoming emails to amavisd before-queue, will it cause performance issue? it will cause amavisd invoking SA+ClamAV for anti-spam & anti-virus on all incoming emails, and the fact is, most of them are spam.

Again, i might be wrong since i didn't use them before.

3

Re: Postfix: address_verify_map / smtpd_proxy_filter

For address_verify_map please see http://www.postfix.org/ADDRESS_VERIFICATION_README.html

This is useful when relaying mail to a customer for example where we don't know details about valid recipients. So postfix will make a connection to this server, issue HELO, MAIL FROM: and RCPT TO:. If the remote server answers with "recipient unknown" it will relay that information back to the sender MTA. So you don't need to accept mail and generate DSN/bounces later..

If we use smtpd_proxy_filter to inject incoming emails to amavisd before-queue, will it cause performance issue? it will cause amavisd invoking SA+ClamAV for anti-spam & anti-virus on all incoming emails, and the fact is, most of them are spam.

Again, i might be wrong since i didn't use them before.

SA+ClamAV will be invoked for each mail - it doesn't matter if you use smptd_proxy_filter or not. The only issue is, that it can hit a timeout since it's "inline" and no longer store-and-forward. So postfix may refuse mails due to too many pending ones. But this error is a temporary error.. Using smtpd_proxy_filter needs some config tweaking, see also here: http://www.postfix.org/SMTPD_PROXY_README.html

Another thing: policyd should come first - so the much more expensive checks with SA/ClamAV only happen after first "basic" checks with policyd.

Maybe let the administrator decide how to use it?

Another question for understanding iRedMail: Will the admin-tool ever change something in master.cf / main.cf after installation?

Regards

4

Re: Postfix: address_verify_map / smtpd_proxy_filter

borki wrote:

For address_verify_map please see http://www.postfix.org/ADDRESS_VERIFICATION_README.html

This is useful when relaying mail to a customer for example where we don't know details about valid recipients. So postfix will make a connection to this server, issue HELO, MAIL FROM: and RCPT TO:. If the remote server answers with "recipient unknown" it will relay that information back to the sender MTA. So you don't need to accept mail and generate DSN/bounces later..

Thanks very much for your description, it's very clear.
As you said, it would be very useful for mail server/gateway which used as a relay server.

About smtpd_proxy_filter, personally, i don't think we can get lots of benefits from this, so i prefer to keep current settings in iRedMail.

borki wrote:

Another question for understanding iRedMail: Will the admin-tool ever change something in master.cf / main.cf after installation?

Do you mean 'iRedAdmin(-Pro)'? It manages only LDAP data.