ot: policyd advise

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

ot: policyd advise

Voytek
I have an 'old' Postfix 2.1 Centos 6 server, all running well, looking at
setting a more up to date server and Postfix

old server was not installed by me, just now I've realized I have policy
deamon I was not aware of (obviously was running OK...)

from main.cf
...
smtpd_recipient_restrictions =
 reject_unknown_sender_domain,
 reject_unknown_recipient_domain,
 reject_non_fqdn_sender,
 reject_non_fqdn_recipient,
 reject_unlisted_recipient,
 check_policy_service inet:127.0.0.1:7777,
 permit_mynetworks,
 check_sasl_access hash:/etc/postfix/sasl_access
 permit_sasl_authenticated,
...

Q1: in a multi line config like this, is it possibly to comment out one
line in place like so?

smtpd_recipient_restrictions =
 reject_unknown_sender_domain,
 reject_unknown_recipient_domain,
 reject_non_fqdn_sender,
 reject_non_fqdn_recipient,
 reject_unlisted_recipient,
# check_policy_service inet:127.0.0.1:7777,
 permit_mynetworks,
 check_sasl_access hash:/etc/postfix/sasl_access
 permit_sasl_authenticated,
...

Q2: is there a way to assess from maillogs? effectiveness ? what else ?
that this deamon has ?

I also have policyd 1.x running on this server
reading docs for the port 7777 deamon, it's "iRedAPD" which I gather it's
a similar to the policyd

reading further,  "iRedMail and iRedAdmin-Pro completely drop support for
Cluebringer, if you're still running Cluebringer, please migrate to
iRedAPD by following our tutorial."

as I'm still using policyd 1.x, I was hoping to move to policyd 2.x,
reading above, that apparently is no longer developed

Q3: what are my options to update from policyd 1.x to (greylist,
throttling, what else should I look at ?)

lastly, in current setup, I have the two policy deamons in two places:

before permit mynetworks, and, as last

where should it be?

smtpd_recipient_restrictions = reject_unknown_sender_domain,
reject_unknown_recipient_domain, reject_non_fqdn_sender,
reject_non_fqdn_recipient, reject_unlisted_recipient, check_policy_service
inet:127.0.0.1:7777, permit_mynetworks, check_sasl_access
hash:/etc/postfix/sasl_access permit_sasl_authenticated,
reject_unauth_destination, check_recipient_access
hash:/etc/postfix/recipient_no_checks, check_recipient_access
pcre:/etc/postfix/recipient_checks.pcre, check_helo_access
hash:/etc/postfix/helo_checks, check_sender_access
hash:/etc/postfix/sender_checks, check_client_access
hash:/etc/postfix/client_checks, check_client_access
pcre:/etc/postfix/client_checks.pcre, reject_rbl_client zen.spamhaus.org,
reject_rhsbl_client dbl.spamhaus.org, reject_rhsbl_sender
dbl.spamhaus.org, reject_rbl_client psbl.surriel.com, reject_rbl_client
ix.dnsbl.manitu.net, reject_rbl_client bl.spamcop.net,
check_policy_service inet:127.0.0.1:10031

thanks for any help and pointers

(I've copied this server's 2.1 settings to new server's 3.x install and,
slowly aim to bring it on line, undoubtedly more stupid question to
follow)

Voytek

Reply | Threaded
Open this post in threaded view
|

Re: ot: policyd advise

Wietse Venema
Voytek:

> I have an 'old' Postfix 2.1 Centos 6 server, all running well, looking at
> setting a more up to date server and Postfix
>
> old server was not installed by me, just now I've realized I have policy
> deamon I was not aware of (obviously was running OK...)
>
> from main.cf
> ...
> smtpd_recipient_restrictions =
>  reject_unknown_sender_domain,
>  reject_unknown_recipient_domain,
>  reject_non_fqdn_sender,
>  reject_non_fqdn_recipient,
>  reject_unlisted_recipient,
>  check_policy_service inet:127.0.0.1:7777,
>  permit_mynetworks,
>  check_sasl_access hash:/etc/postfix/sasl_access
>  permit_sasl_authenticated,
> ...
>
> Q1: in a multi line config like this, is it possibly to comment out one
> line in place like so?
> smtpd_recipient_restrictions =
>  reject_unknown_sender_domain,
>  reject_unknown_recipient_domain,
>  reject_non_fqdn_sender,
>  reject_non_fqdn_recipient,
>  reject_unlisted_recipient,
> # check_policy_service inet:127.0.0.1:7777,
>  permit_mynetworks,
>  check_sasl_access hash:/etc/postfix/sasl_access
>  permit_sasl_authenticated,
> ...

Yes. I copied the above to /tmp/main.cf and checked with 'postconf -n -c /tmp'.
 
> Q2: is there a way to assess from maillogs? effectiveness ? what else ?
> that this deamon has ?

Only if the server logs activity. I hve no experience with the
programs that you mention.

> lastly, in current setup, I have the two policy deamons in two places:
> before permit mynetworks, and, as last
>
> where should it be?

If it is before permit mynetworks, it can make your site an open
relay if you aren't very careful.

        Wietse

Reply | Threaded
Open this post in threaded view
|

Re: ot: policyd advise

Voytek
On Fri, December 15, 2017 11:47 am, Wietse Venema wrote:

> Yes. I copied the above to /tmp/main.cf and checked with 'postconf -n -c
> /tmp'.
>
>
>> Q2: is there a way to assess from maillogs? effectiveness ? what else ?
>>  that this deamon has ?
>
> Only if the server logs activity. I hve no experience with the
> programs that you mention.
>
>> lastly, in current setup, I have the two policy deamons in two places:
>> before permit mynetworks, and, as last
>>
>> where should it be?
>
> If it is before permit mynetworks, it can make your site an open
> relay if you aren't very careful.

Wietse, thanks

the deamon does have a log full of 'DUNNO's - I guess with DUNNOs it's not
making any decision but passing it on. I'll try to read docs to understand
it better, thanks again

Voytek

Reply | Threaded
Open this post in threaded view
|

Re: ot: policyd advise

Zhang Huangbin-2
In reply to this post by Voytek

> On Dec 15, 2017, at 6:31 AM, Voytek <[hidden email]> wrote:
>
> Q1: in a multi line config like this, is it possibly to comment out one
> line in place like so?

iRedAPD works on two Postfix protocol state: RCPT, END-OF-MESSAGE.
Different states have different functions. for example, greylisting plugin
only works in RCPT state, but throttle plugin works on both states.

If mail is rejected in RCPT state, we don’t need client to send full message
and move to END-OF-MESSAGE state.

> Q2: is there a way to assess from maillogs? effectiveness ? what else ?
> that this deamon has ?

iRedAPD logs to /var/log/iredapd/iredapd.log. If some email was rejected
by iRedAPD (e.g. greylisting), Postfix will log the rejection too.

> Q3: what are my options to update from policyd 1.x to (greylist,
> throttling, what else should I look at ?)

Policyd v1 is dead, v2 is not under active maintenance in passed 2 years (4
commits in 2017, no commit in 2016).

Policyd v2 is a completely rewritten with different SQL structure, and Policyd
developers didn’t offer any upgrade/migration tutorial. You’re on your own.
https://wiki.policyd.org

You’re free to use any policy servers which work well with Postfix, but if
you use iRedMail + iRedAdmin-Pro, it’s better move to iRedAPD to get
the best integration, and get support from iRedMail online support forum:
https://forum.iredmail.org/ 

----
Zhang Huangbin, founder of iRedMail project: http://www.iredmail.org/
Time zone: GMT+8 (China/Beijing).
Available on Telegram: https://t.me/iredmail

Reply | Threaded
Open this post in threaded view
|

Re: ot: policyd advise

Voytek
On Fri, December 15, 2017 12:36 pm, Zhang Huangbin wrote:
>


> iRedAPD works on two Postfix protocol state: RCPT, END-OF-MESSAGE.
> Different states have different functions. for example, greylisting
> plugin only works in RCPT state, but throttle plugin works on both states.
>
> iRedAPD logs to /var/log/iredapd/iredapd.log. If some email was rejected
> by iRedAPD (e.g. greylisting), Postfix will log the rejection too.

thanks. I guess on this server it was never configured as logs are full of
DUNNOs, didn't notice any other labels

is iRedAPD available/supported as 'stand alone' with my current postfix, ,
or just as part of iredmail ?

Voytek

Reply | Threaded
Open this post in threaded view
|

Re: ot: policyd advise

Zhang Huangbin-2

> On Dec 16, 2017, at 10:55 AM, Voytek <[hidden email]> wrote:
>
> thanks. I guess on this server it was never configured as logs are full of
> DUNNOs, didn't notice any other labels

It depends on the plugins enabled in iRedAPD config file, you can turn
on debug mode to see more details:
http://www.iredmail.org/docs/debug.iredapd.html 

> is iRedAPD available/supported as 'stand alone' with my current postfix, ,
> or just as part of iredmail ?

iRedAPD is a Postfix policy server, of course you can remove it if you
don’t need it.

We replaced Policyd/Cluebringer by iRedAPD, with extra features and
improvements, i suggest you check what features/plugins it offers first
before making the final decision. Plugin directory is /opt/iredapd/plugins/.

For iRedMail / iRedAPD related questions/issues, it’s better move to
iRedMail online support forum: http://www.iredmail.org/forum/ 

----
Zhang Huangbin, founder of iRedMail project: http://www.iredmail.org/
Time zone: GMT+8 (China/Beijing).
Available on Telegram: https://t.me/iredmail