| Last updated: |
This FAQ covers version 0.1.13 beta and later
ISPs, selective checks based on recipient
Q: I'm an ISP. How do I use policyd-weight based on recipient?
Q: How can I use policyd-weight for only a single domain?A: You can do that with Postfix' restriction classes and various Table Types or PCRE Tables
Example:
smtpd_restriction_classes = check_policyd_weight check_policyd_weight = check_policy_service inet:127.0.0.1:12525 smtpd_recipient_restrictions = permit_mynetworks ... other stuff like SASL permit or pop-before-smtp permits ... reject_unauth_destination ... ... check_recipient_access hash:/etc/postfix/policyd_weight_usersfile policyd_weight_users:
# per user recipient1@domain.tld check_policyd_weight # for an entire domain domain2.tld check_policyd_weightDon't forget to run
postmap /etc/postfix/policyd_weight_users(depending on the table type)
Other versions (C/C++, other MTAs)
Q: Are C/C++ versions planned in the future?
A: Not that I know. Perl seems fast enough for this job. It will not be faster when written in C. Also I don't have the resources to port this to all platforms if written C. Perl is available everywhere.
Q: How about other MTAs?
A: For Exim there exists a Policyd-weight/Exim HowTo -- thanks to Jochen Schalanda.
Unfortunately, I only have one mailer, which is Postfix. If you can make it available, maintain and continuously verify policyd-weight for other MTAs please make it available to the public and I might link to you. It's not required to be in Perl, but it would be preferred. Python is ok, too. Compiled languages are not favoured, unless you are willing to maintain multiple platforms ;)
Keep in mind that there must be the possibility to hand HELO, MAIL FROM and Client IP to the script at the SMTP RCPT stage! After DATA would be useless, you might as well use amavis & Co in this case, and the smtpd might queue it after the DATA stage, using up resources.
Q: I have a mailer that must be whitelisted because the other postmaster won't correct his setup. Will you implement whitelisting?
Q: We receive mail to a special recipient address for automatic data processing and the foreign SMTP client sits behind a NAT address and has no SASL support and they have no MTA themselves. Will you implement whitelisting?
A1: No. Whitelisting can be done with Postfix (and various Tables Types or even PCRE Tables together with restriction classes)
in file main.cf:smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination ... ... etc ... check_client_access hash:/path/to/policyd_weight_client_whitelist check_recipient_access hash:/path/to/policyd_weight_recipient_whitelist check_policy_service inet:127.0.0.1:12525file policyd_weight_client_whitelist to whitelist an IP, a host or a network (if the hostname resolves):
123.124.125.126 permit_auth_destination smtp.googlemail.com permit_auth_destination yahoo.com permit_auth_destinationfile policyd_weight_recipient_whitelist to allow the recipient:
special@mydomain.tld permit_auth_destinationNote: do this at the very last, or at least after reject_unauth_destination or else you allow open relaying for clients/recipients in policyd_weight_*_whitelist.
Don't forget to run
postmap /path/to/policyd_weight_*_whitelist. Also you should get in contact with the other postmaster to inform her that something is misconfigured.A2: Use the Scores, Luke. You could as well lower the appropriate score(s) to 0.1 or less until the host in question gets through by 0.95 or so. Please consider that this approach gives spammers and fakers more freedom as well.
Q: I am running out of resources, my mail server rejects mail with "45x Server configuration problem", "warning: problem talking to server 127.0.0.1:12525: Connection timed out", "warning: timeout on 127.0.0.1:12525 while reading input attribute name"
A: This can have several reasons and is mostly caused by inappropriate OS/environment settings. Make following things sure:
- You are using the latest stable or development release (
/path/to/policyd-weight -v)
- You have a well performing local (host/LAN) recursive DNS-Cache. If policyd-weight requires steadily more than 2 seconds to answer queries then your DNS perfomance is low.
- You set policyd-weight's $MAX_PROC equal to the maximum of smtpd processes. If you configured many postfix machines to ask one policyd-weight machine then configure the policyd-weight machine's $MAX_PROC according to the sum of all smtpds of all postfix machines.
grep for "MAX_PROC .* reached" (also in rotated logs) -- if you have this in your logs then you should a) increase $MAX_PROC and b) see why you require more policyd-weight processes. Possible reasons: 1: mail-volume too high, 2: DNS to slow for mail volume.
- Your system's SOMAXCONN is configured for a server environment. 1024 is a good starting point for an average server. You can monitor your socket usage with netstat, lsof and the like.
- Increase policyd-weight cache-sizes to reduce DNS lookups
- Set $TRY_BALANCE = 1; in /etc/policyd-weight.conf which has as result that policyd-weight closes the connection after it has sent the response. Normally postfix' smtpds stay connected and reuse the connection - which might lead to (timeout-)problems if the policyd-weight instance has to answer another 3 connected-and-waiting-for-policy-answers smtpds first.
- Use selective greylisting and other low-delay postfix checks before policyd-weight
Please consider that policyd-weight does a number of DNS lookups and requires some WALLCLOCK-time between (average) 0 and 5 seconds. This might lead to increasing smtpd processes - make sure your OS can handle the additonal requirements for sockets, filedescriptors, etc. Policyd-weight assumes a server in order to scale - not a default desktop OS.
If you report timeout-troubles, please report with netstat/lsof (showing socket-usage) and
sysctl -a | grep somaxoutputs, and after you have reviewed that output in order to find the problem yourself.
Messages: "helo/hostname mismatch"
Q: I get Mail appeared to be SPAM or forged. Ask your Mail/DNS-Administrator to correct HELO and DNS MX settings or to get removed from DNSBLs; MTA helo: example.tld, MTA hostname: unknown[n.n.n.n] (helo/hostname mismatch);
Q: Are you crazy to block a helo hostname mismatch?A: Policyd-weight cannot provide a complete DNS/MTA Howto in a SMTP reply due to some size restrictions. Thus it replies with a generalized message. The mentioned line means following:
The client-IP and its /24 or /16 subnets are in no relation to the A/MX records of the HELO FQDN, domain and parent domains;
NEITHER A/MX records of the sender-domain or parent domains;
NEITHER does the reverse record (PTR) point to a FQDN or domain which matches the HELO FQDN or domain or parent domains nor the sender-domain or parent domains.
Or in short: no, policyd-weight does NOT block on a helo/hostname mismatch alone, but does report it as one of the most obvious issue.
Testing without rejecting mail
Q: I have installed policyd-weight, but I really don't know if it does what I think it should. I'm afraid to lose mail, so I want to get started without rejecting any mails yet. Is there a dry-run or test mode?
A: No, not in policyd-weight itself, but it can be done within Postfix using warn_if_reject.
in the file main.cf replace:check_policy_service inet:127.0.0.1:12525with
warn_if_reject check_policy_service inet:127.0.0.1:12525and reload Postfix. This will then log a message to syslog whenever policyd-weight takes some action.
Q: How do I debug a client, resp. see how it is being evaluated?
A: By feeding the client credentials according to the Postfix Policy Protocol. The author uses this call:
# echo "helo_name=robtone.ek-muc.de sender=test@ek-muc.de client_address=62.225.182.35 request=smtpd_access_policy " | /path/to/policyd-weight -dwhich produces this text-output.
Q: I have troubles getting policyd-weight to work on Solaris, logging doesn't work properly.
A: Depending on the syslog in use you may have to use the policyd-weight option:
$syslog_socktype = 'stream';Q: Although policyd-weight starts up, Postfix doesn't seem to communicate with the policy daemon. I see syslog errors like
problem talking to server 127.0.0.1:12525: No such file or directoryA: Make sure you are using the latest version of policyd-weight which fixes these socket related issues on Solaris.
Questions not covered by this FAQ
Q: I have other questions which this FAQ doesn't answer
A: Ok, send a mail to robtone@ek-muc.de with a subject policyd-weight FAQ or similiar.