Home

Last updated:

policyd-weight FAQ

This FAQ covers version 0.1.13 beta and later

Table of contents


ISPs, selective checks based on recipient

Q: I'm an ISP. How do I use policyd-weight based on recipient?
Q: How can I use policyd-weight for only a single domain?

A: You can do that with Postfix' restriction classes and various Table Types or PCRE Tables

Example:

smtpd_restriction_classes = check_policyd_weight
check_policyd_weight = 
    check_policy_service inet:127.0.0.1:12525

smtpd_recipient_restrictions =
    permit_mynetworks
    ...
    other stuff like SASL permit or pop-before-smtp permits
    ...
    reject_unauth_destination
    ...
    ...
    check_recipient_access hash:/etc/postfix/policyd_weight_users

file policyd_weight_users:

# per user
recipient1@domain.tld check_policyd_weight

# for an entire domain
domain2.tld check_policyd_weight

Don't forget to run postmap /etc/postfix/policyd_weight_users (depending on the table type)

Home | top


Other versions (C/C++, other MTAs)

Q: Are C/C++ versions planned in the future?

A: Not that I know. Perl seems fast enough for this job. It will not be faster when written in C. Also I don't have the resources to port this to all platforms if written C. Perl is available everywhere.

Q: How about other MTAs?

A: For Exim there exists a Policyd-weight/Exim HowTo -- thanks to Jochen Schalanda.

Unfortunately, I only have one mailer, which is Postfix. If you can make it available, maintain and continuously verify policyd-weight for other MTAs please make it available to the public and I might link to you. It's not required to be in Perl, but it would be preferred. Python is ok, too. Compiled languages are not favoured, unless you are willing to maintain multiple platforms ;)
Keep in mind that there must be the possibility to hand HELO, MAIL FROM and Client IP to the script at the SMTP RCPT stage! After DATA would be useless, you might as well use amavis & Co in this case, and the smtpd might queue it after the DATA stage, using up resources.

Home | top


Whitelisting

Q: I have a mailer that must be whitelisted because the other postmaster won't correct his setup. Will you implement whitelisting?
Q: We receive mail to a special recipient address for automatic data processing and the foreign SMTP client sits behind a NAT address and has no SASL support and they have no MTA themselves. Will you implement whitelisting?

A1: No. Whitelisting can be done with Postfix (and various Tables Types or even PCRE Tables together with restriction classes)

in file main.cf:

smtpd_recipient_restrictions = 
    permit_mynetworks
    reject_unauth_destination
    ...
    ...
    etc
    ...
    check_client_access    hash:/path/to/policyd_weight_client_whitelist
    check_recipient_access hash:/path/to/policyd_weight_recipient_whitelist
    check_policy_service   inet:127.0.0.1:12525

file policyd_weight_client_whitelist to whitelist an IP, a host or a network (if the hostname resolves):

123.124.125.126        permit_auth_destination
smtp.googlemail.com    permit_auth_destination
yahoo.com              permit_auth_destination

file policyd_weight_recipient_whitelist to allow the recipient:

special@mydomain.tld   permit_auth_destination

Note: do this at the very last, or at least after reject_unauth_destination or else you allow open relaying for clients/recipients in policyd_weight_*_whitelist.

Don't forget to run postmap /path/to/policyd_weight_*_whitelist. Also you should get in contact with the other postmaster to inform her that something is misconfigured.

A2: Use the Scores, Luke. You could as well lower the appropriate score(s) to 0.1 or less until the host in question gets through by 0.95 or so. Please consider that this approach gives spammers and fakers more freedom as well.

Home | top


Resources/Timeouts

Q: I am running out of resources, my mail server rejects mail with "45x Server configuration problem", "warning: problem talking to server 127.0.0.1:12525: Connection timed out", "warning: timeout on 127.0.0.1:12525 while reading input attribute name"

A: This can have several reasons and is mostly caused by inappropriate OS/environment settings. Make following things sure:

Please consider that policyd-weight does a number of DNS lookups and requires some WALLCLOCK-time between (average) 0 and 5 seconds. This might lead to increasing smtpd processes - make sure your OS can handle the additonal requirements for sockets, filedescriptors, etc. Policyd-weight assumes a server in order to scale - not a default desktop OS.

If you report timeout-troubles, please report with netstat/lsof (showing socket-usage) and sysctl -a | grep somax outputs, and after you have reviewed that output in order to find the problem yourself.

Home | top


Messages: "helo/hostname mismatch"

Q: I get Mail appeared to be SPAM or forged. Ask your Mail/DNS-Administrator to correct HELO and DNS MX settings or to get removed from DNSBLs; MTA helo: example.tld, MTA hostname: unknown[n.n.n.n] (helo/hostname mismatch);
Q: Are you crazy to block a helo hostname mismatch?

A: Policyd-weight cannot provide a complete DNS/MTA Howto in a SMTP reply due to some size restrictions. Thus it replies with a generalized message. The mentioned line means following:
The client-IP and its /24 or /16 subnets are in no relation to the A/MX records of the HELO FQDN, domain and parent domains;
NEITHER A/MX records of the sender-domain or parent domains;
NEITHER does the reverse record (PTR) point to a FQDN or domain which matches the HELO FQDN or domain or parent domains nor the sender-domain or parent domains.
Or in short: no, policyd-weight does NOT block on a helo/hostname mismatch alone, but does report it as one of the most obvious issue.

Home | top


Testing without rejecting mail

Q: I have installed policyd-weight, but I really don't know if it does what I think it should. I'm afraid to lose mail, so I want to get started without rejecting any mails yet. Is there a dry-run or test mode?

A: No, not in policyd-weight itself, but it can be done within Postfix using warn_if_reject.

in the file main.cf replace:

check_policy_service inet:127.0.0.1:12525

with

warn_if_reject check_policy_service inet:127.0.0.1:12525

and reload Postfix. This will then log a message to syslog whenever policyd-weight takes some action.



Q: How do I debug a client, resp. see how it is being evaluated?

A: By feeding the client credentials according to the Postfix Policy Protocol. The author uses this call:

# echo "helo_name=robtone.ek-muc.de
sender=test@ek-muc.de
client_address=62.225.182.35
request=smtpd_access_policy
" | /path/to/policyd-weight -d

which produces this text-output.

Home | top


Solaris issues

Q: I have troubles getting policyd-weight to work on Solaris, logging doesn't work properly.

A: Depending on the syslog in use you may have to use the policyd-weight option:

$syslog_socktype = 'stream';

Q: Although policyd-weight starts up, Postfix doesn't seem to communicate with the policy daemon. I see syslog errors like
problem talking to server 127.0.0.1:12525: No such file or directory

A: Make sure you are using the latest version of policyd-weight which fixes these socket related issues on Solaris.

Home | top


Questions not covered by this FAQ

Q: I have other questions which this FAQ doesn't answer

A: Ok, send a mail to robtone@ek-muc.de with a subject policyd-weight FAQ or similiar.

Home | top