policyd-weight - A policy daemon for Postfix

rejecting faked sender and faked HELO args since 03/23/2005


News

Security: policyd-weight versions up to 0.1.14 beta-16 didn't check for symlinks on/in its operational directories/sockets correctly. An unprivileged user was able to create a symlink to any directory if the working directory was not already setup by the super user. You are encouraged to update to a version newer than 0.1.14 beta-16.
New versions exit if they operate on symlinks.

Workaround:
- # policyd-weight -k stop
- verify that no policyd-weight processes are running
- change $LOCKPATH from /tmp/.policyd-weight to /var/run/policyd-weight.
- # policyd-weight start

Policyd-weight is in a state "works as intented". Because of my responsibility for my family I have decided to only take care of security issues (as I and many other still use it successful in production). Currently policyd-weight is feature-complete. For other things to do, look at the todo-list.
Developers which want to continue are encouraged to use the ML and continue on Sourceforge.

What's policyd-weight?

policyd-weight is a Perl policy daemon for the Postfix MTA (2.1 and later) intended to eliminate forged envelope senders and HELOs (i.e. in bogus mails). It allows you to score DNSBLs (RBL/RHSBL), HELO, MAIL FROM and client IP addresses before any queuing is done. It allows you to REJECT messages which have a score higher than allowed, providing improved blocking of spam and virus mails. policyd-weight caches the most frequent client/sender combinations (SPAM as well as HAM) to reduce the number of DNS queries.

After the first three SMTP commands (HELO, MAIL FROM: and RCPT TO:) the client's IP address, corresponding DNS records (A, MX and PTR) and multiple DNSBLs can be checked, verified and scored. If the client tries to forge headers or supplies non-existent DNS or bogus data the spam score will increase, even more so if the client is listed in one or more DNSBLs. Such mails can be rejected while in transfer, before the mail body is received by your MTA. This is different from SpamAssassin or amavisd-new: for scoring or filtering with these programs, mail needs to be accepted and queued, bandwidth is used, CPU-time is wasted and mail cannot be rejected without creating a bounce. Please have a look at the graphical working scheme.

Postfix' built-in checks can be too tough for poorly configured clients: one hit, and the mail gets rejected. policyd-weight is designed to be fair (DynDNS MX users get through if their MTA is setup properly, even if their ISP net is DUL-listed), because its decision whether to reject or accept a mail is based on multiple factors.

Of course you should still have SpamAssassin and Clamav running (especially if you are responsible for a company's security and data). But these programs will have a lot less to do and thus decrease the need for bandwidth and CPU cycles. Also you might not need greylisting (which would make sense for users that receive a lot of new spam, though), SPF, extraordinary whitelists or SQL and other DBs anymore.

Performance

Perfomance is difficult to measure. The cache daemon is able to handle ~15'200 mails/minute, non-cached throughput is ~2'500 mails/minute (3'630'000 mails/day) on a Dell Dual PIII 1,2GHz, 2Mbit uplink (see my benchmark-test). Also policyd-weight now runs as a daemon. On a loaded server it won't be spawned per smtpd instance anymore. It scales now load-adaptively by itself. You also should have a fast caching, recursive DNS server. Don't use DNS-forwarders unless you have a rather slow uplink. A rewrite in C/C++ would not lead to a noticeable speedup, neither in CPU nor walltime. The major bottleneck is as always bandwidth, which we try to handle carefully. Neither does the load-adaptive forking nature have an impact on load/CPU, it is NOT required to fork a process for each and every request.

Regardless of these facts improvements to the fork code could be done with a) threading - which is not supported everywhere and by b) selecting over UDP (DNS) sockets (called multiplexing by some) which adds unnecessary delays (in miliseconds) to other requests but minimizes the requirement for parallel instances (i.e. would save memory). For parsing 2'500 mails/minute (by a concurrency of 50 clients at once) policyd-weight created only 22 instances.

Bugs
  • Don't use $PUDP up to v0.53 of Net::DNS
  • Don't use Net::DNS v0.54
  • Don't use Sys::Syslog v0.16 (see CPAN RT #20164)

If you submit bugs, please be so kind to attach logs and an output according to the Debug-call to the Bug-Tracker. Please also search the mailinglist-archives or <your-favourite-search-engine> for your possibly already answered question.

Misc
  • Configuration and score tuning is done inside of the script or via policyd-weight.conf. Read the comments inside the script.
  • policyd-weight is intended for users that receive mail for their domain via SMTP and not POP (fetchmail and others).
  • Don't set cachesizes larger than 150000, the cleanup process takes too long.

You are not protected from explicit spam/virus attacks against you, neither with policyd-weight, nor with amavis/SpamAssassin/ClamAV since there are many ways to get around the amavis barrier, too.

Stats

Winfried Neessen provided some interesting graphs.


Other Postfix resources

http://www.postfix.org/docs.html
http://www.postfix.org/addon.html

Gary V's Debian/Postfix/Amavis Anti-UCE HOWTOs
"The Book of Postfix" (engl.) / "Postfix" (deu.) - R. Hildebrandt & P. B. Koetter
"Das Postfix-Buch" (deu.) - P. Heinlein



Alternatives

postfwd - A Policy Daemon with a very flexible Scoring/Ruleset-Language.



RBLs/RHSBLs used
by default

RBLs
RHSBLs

Please read their usage and listing policies.
One may also donate to those services as their constant quality and reliability is very important for the fight against spam; and there is much human work, equipment and motivation involved.


Mailinglist

You can subscribe to the policyd-weight Mailinglist at https://listen.jpberlin.de/mailman/listinfo/policyd-weight-users

Developers and Devel-Testers are also welcome on #policyd-weight (IRCNet)



Valid CSS! Valid HTML 4.01 Transitional Visitor Map © 2005-2010 EDV Beratung Selling-IT - Robert Felber
policyd-weight.org domain
provided by neessen.net