Recommended milters for small setup

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Recommended milters for small setup

Ian Evans
The long story short is that due to dealing with family medical issues over the past few years, my Combo web/postfix server is still on Ubuntu 14.04.

In a couple of months I will have some time to upgrade. Instead of risking an in place upgrade, I am going to fire up a new droplet on Digitalocean, install the latest stuff over there, and migrate my data. 

My site has two email users, me and the missus. I currently run an email stack of postfix, amavis, spamassassin, clamav and dovecot. The Postfix also has dkim, dmarc, spf and postscreen. 

Is there a more efficient, memory stingy, faster milter way to run spamassassin, clamav, etc, or would you recommend sticking with amavis?

Thanks. 
Reply | Threaded
Open this post in threaded view
|

Re: Recommended milters for small setup

Tom Hendrikx
On 15-10-2020 17:19, Ian Evans wrote:

> The long story short is that due to dealing with family medical issues
> over the past few years, my Combo web/postfix server is still on
> Ubuntu 14.04.
>
> In a couple of months I will have some time to upgrade. Instead of
> risking an in place upgrade, I am going to fire up a new droplet on
> Digitalocean, install the latest stuff over there, and migrate my data.
>
> My site has two email users, me and the missus. I currently run an
> email stack of postfix, amavis, spamassassin, clamav and dovecot. The
> Postfix also has dkim, dmarc, spf and postscreen.
>
> Is there a more efficient, memory stingy, faster milter way to run
> spamassassin, clamav, etc, or would you recommend sticking with amavis?
>
> Thanks.

I use https://github.com/milter-manager/milter-manager, works great if
you like milters :)

Kind regards,

     Tom

Reply | Threaded
Open this post in threaded view
|

Re: Recommended milters for small setup

PGNet Dev
In reply to this post by Ian Evans
On 10/15/20 8:19 AM, Ian Evans wrote:

> Is there a more efficient, memory stingy, faster milter way to run spamassassin, clamav, etc, or would you recommend sticking with amavis?



very much personal choice.  each comes with it's challenges.
  for any set of choices, you'll get the usual assortment of pundits telling you why it's Bad(tm).


i'm not a fan of 'swiss army knife' apps that try to be all things to all people; i prefer the option to rip out & swap individual pieces if/as needed.

having _had_ that^ same stack, i first rm'd amavis
.


now, i've got:

 inbound:

  postscreen

  spf-engine (policy service)

  pre-q milters:

   opendkim
   opendmarc
   milter-regex
   clamav-milter
   spamassassin-milter (https://lib.rs/crates/spamassassin-milter)

 outbound:

  opendkim


for inbound, i'd like to replace opendkim/opendmarc with fastmail/authentication_milter --
-- but the project devs aren't terribly responsive.  not clear yet whether it's as bad as 'Trusted Domain Project' opendkim/opendmarc ...

for outbound, i'd again like to get rid of opendkim. but, so far, i've found no good packaged options that fit my needs.

DIY with Mail::DKIM is a pain, but doable, and on my "I'll get around to it eventually" list.

atm -- although it all still _feels_ a bit fragile -- this current setup is working well enough.

certainly lighter-weight than b4, and for me simpler to configure/manage.

my $0.02.
Reply | Threaded
Open this post in threaded view
|

Re: Recommended milters for small setup

Patrick Ben Koetter-2
In reply to this post by Ian Evans
* Ian Evans <[hidden email]>:

> The long story short is that due to dealing with family medical issues over
> the past few years, my Combo web/postfix server is still on Ubuntu 14.04.
>
> In a couple of months I will have some time to upgrade. Instead of risking
> an in place upgrade, I am going to fire up a new droplet on Digitalocean,
> install the latest stuff over there, and migrate my data.
>
> My site has two email users, me and the missus. I currently run an email
> stack of postfix, amavis, spamassassin, clamav and dovecot. The Postfix
> also has dkim, dmarc, spf and postscreen.
>
> Is there a more efficient, memory stingy, faster milter way to run
> spamassassin, clamav, etc, or would you recommend sticking with amavis?

If you need quarantine and per user policies you want to stick with amavis. I
recommend to use amavis via the amavis-milter bridge.

Other than that you might want to give rspamd a shot. It can sign/verify DKIM,
verify DMARC and IIRC it can to SPF as well. There's a way to plug ClamAV into
rspamd and of course it can detect and reject spam as well. If you use rspamd
it is recommended *not* to use postscreen as this keeps clients away from
rspamd and that prevents it from learning and becoming more efficient.

p@rick


--
[*] sys4 AG

https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein

Reply | Threaded
Open this post in threaded view
|

Re: Recommended milters for small setup

lists@lazygranch.com
In reply to this post by Ian Evans
I run a personal mail server. Back when I used freeBSD, everyone once in a while amavisd would cause the mail queue to stall. I can't be bothered playing sysadmin to keep things running. My advice is to employ whatever Google wants, namely spf and DKIM. Look as legit as possible. Even then you will be blocked by SBC and have to be whitelisted. Spectrum will never accept mail from Digital Ocean. There is no work around. 

I stopped running SpamAssassin. I use RBLs. I need the mail to go through and don't want to fine tune SpamAssassin. I just delete the obvious spam which these days comes from legit Gmail accounts. If this is a personal server, it isn't like you have customers to complain about spam. I don't even have to open spam to know it is spam. OK maybe some day Bill Gates will be emailing me and I dumped his email. Oh well... 

The best antivirus is between your ears. Clamav gets about 75% of the malware eventually. The key is eventually. The trouble is it takes some time for any Anti-Malware to get the signatures so the initial implementation of the malware gets through. I was running clamav and yet getting fresh malware based on what I sent virustotal.com. 

Less is more. I do whatever I can using postfix. I block email from the goofy TLDs like XYZ. You know those TLDs that namecheap will sell for a dollar. I reject most attachments. Why would I ever want an exe file? I barely run windows and certainly don't get software in my email. 

I suggest using port 587 in your setup. Then use a firewall to keep countries that you will never visit from touching any email port other than 25. When I used a hosting company, I got hacked from Morocco. I'm sure it is a nice place to visit, but don't plan on it so I certainly won't be reading my email or sending email from there. I have a list of hosting companies that I have built over the years. They get blocked as well except for port 25. Now you risk using wifi somewhere and getting rejected but I don't use free wifi often and have a VPN anyway so I won't be blocked from my own server. 

Don't install anything for web email. You should always use an email client. 

Less is more. The more programs you chain together, the more likely the email will break.  I suggest not using cpanel. I do everything on my server via command line. Every service you install just increases the attack surface. 

I like Digital Ocean a lot.  I use centos. No drama. Thus far all the updates have been uneventful.  Technically you can't upgrade centos. They want you to migrate. But the support for each rev lats a long time. 

Sent: October 15, 2020 8:19 AM
Subject: Recommended milters for small setup

The long story short is that due to dealing with family medical issues over the past few years, my Combo web/postfix server is still on Ubuntu 14.04.

In a couple of months I will have some time to upgrade. Instead of risking an in place upgrade, I am going to fire up a new droplet on Digitalocean, install the latest stuff over there, and migrate my data. 

My site has two email users, me and the missus. I currently run an email stack of postfix, amavis, spamassassin, clamav and dovecot. The Postfix also has dkim, dmarc, spf and postscreen. 

Is there a more efficient, memory stingy, faster milter way to run spamassassin, clamav, etc, or would you recommend sticking with amavis?

Thanks. 
Reply | Threaded
Open this post in threaded view
|

Re: Recommended milters for small setup

Curtis Maurand
In reply to this post by Patrick Ben Koetter-2
October 15 2020 3:33 PM, "Patrick Ben Koetter" <[hidden email]> wrote:

> * Ian Evans <[hidden email]>:
>
>> The long story short is that due to dealing with family medical issues over
>> the past few years, my Combo web/postfix server is still on Ubuntu 14.04.
>>
>> In a couple of months I will have some time to upgrade. Instead of risking
>> an in place upgrade, I am going to fire up a new droplet on Digitalocean,
>> install the latest stuff over there, and migrate my data.
>>
>> My site has two email users, me and the missus. I currently run an email
>> stack of postfix, amavis, spamassassin, clamav and dovecot. The Postfix
>> also has dkim, dmarc, spf and postscreen.
>>
>> Is there a more efficient, memory stingy, faster milter way to run
>> spamassassin, clamav, etc, or would you recommend sticking with amavis?
>
> If you need quarantine and per user policies you want to stick with amavis. I
> recommend to use amavis via the amavis-milter bridge.
>
> Other than that you might want to give rspamd a shot. It can sign/verify DKIM,
> verify DMARC and IIRC it can to SPF as well. There's a way to plug ClamAV into
> rspamd and of course it can detect and reject spam as well. If you use rspamd
> it is recommended *not* to use postscreen as this keeps clients away from
> rspamd and that prevents it from learning and becoming more efficient.
>

I would suggest the  clamav-milter if you're going to use rspamd
Reply | Threaded
Open this post in threaded view
|

Re: Recommended milters for small setup

Ian Evans
In reply to this post by PGNet Dev
On Thu, Oct 15, 2020 at 12:44 PM PGNet Dev <[hidden email]> wrote:
On 10/15/20 8:19 AM, Ian Evans wrote:

> Is there a more efficient, memory stingy, faster milter way to run spamassassin, clamav, etc, or would you recommend sticking with amavis?



very much personal choice.  each comes with it's challenges.
  for any set of choices, you'll get the usual assortment of pundits telling you why it's Bad(tm).


i'm not a fan of 'swiss army knife' apps that try to be all things to all people; i prefer the option to rip out & swap individual pieces if/as needed.

having _had_ that^ same stack, i first rm'd amavis
.


now, i've got:

 inbound:

  postscreen

  spf-engine (policy service)

  pre-q milters:

   opendkim
   opendmarc
   milter-regex
   clamav-milter
   spamassassin-milter (https://lib.rs/crates/spamassassin-milter)

 outbound:

  opendkim


for inbound, i'd like to replace opendkim/opendmarc with fastmail/authentication_milter --
-- but the project devs aren't terribly responsive.  not clear yet whether it's as bad as 'Trusted Domain Project' opendkim/opendmarc ...

for outbound, i'd again like to get rid of opendkim. but, so far, i've found no good packaged options that fit my needs.

DIY with Mail::DKIM is a pain, but doable, and on my "I'll get around to it eventually" list.

atm -- although it all still _feels_ a bit fragile -- this current setup is working well enough.

certainly lighter-weight than b4, and for me simpler to configure/manage.

my $0.02.

thanks to everyone for the suggestions. some food for thought.

have a great weekend,