From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1RX7Sv-0003kL-Jz for garchives@archives.gentoo.org; Sun, 04 Dec 2011 08:30:29 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 6561F21C0DC; Sun, 4 Dec 2011 08:30:11 +0000 (UTC) Received: from svr-us4.tirtonadi.com (svr-us4.tirtonadi.com [69.65.43.212]) by pigeon.gentoo.org (Postfix) with ESMTP id 46A4021C0B2 for ; Sun, 4 Dec 2011 08:28:02 +0000 (UTC) Received: from mail-ww0-f41.google.com ([74.125.82.41]) by svr-us4.tirtonadi.com with esmtpsa (TLSv1:RC4-SHA:128) (Exim 4.69) (envelope-from ) id 1RX7QZ-002be5-Pz for gentoo-user@lists.gentoo.org; Sun, 04 Dec 2011 15:28:03 +0700 Received: by wgbdt12 with SMTP id dt12so4412117wgb.4 for ; Sun, 04 Dec 2011 00:27:57 -0800 (PST) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Received: by 10.180.95.170 with SMTP id dl10mr7242268wib.31.1322987277974; Sun, 04 Dec 2011 00:27:57 -0800 (PST) Received: by 10.223.103.70 with HTTP; Sun, 4 Dec 2011 00:27:57 -0800 (PST) Received: by 10.223.103.70 with HTTP; Sun, 4 Dec 2011 00:27:57 -0800 (PST) In-Reply-To: <4EDAE3B1.8050808@orlitzky.com> References: <4EDAA89F.3090308@orlitzky.com> <4EDAD845.4010402@orlitzky.com> <4EDAE3B1.8050808@orlitzky.com> Date: Sun, 4 Dec 2011 15:27:57 +0700 Message-ID: Subject: Re: [gentoo-user] clamav and spamassassin From: Pandu Poluan To: gentoo-user@lists.gentoo.org Content-Type: multipart/alternative; boundary=f46d044287fcbefbf804b33ffa47 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - svr-us4.tirtonadi.com X-AntiAbuse: Original Domain - lists.gentoo.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - poluan.info X-Archives-Salt: d8d3689b-a187-4463-8f77-d6abb207bfbc X-Archives-Hash: e2a48b385ade5601e7f1795bd3f2e37b --f46d044287fcbefbf804b33ffa47 Content-Type: text/plain; charset=UTF-8 On Dec 4, 2011 10:10 AM, "Michael Orlitzky" wrote: > > On 12/03/2011 09:48 PM, Pandu Poluan wrote: >> >> >> >> Thanks! Very helpful resources. >> >> You mentioned amavisd-new. What's their relationship? I mean, if I >> deploy postscreen, how will it affect amavisd-new? >> > > Postscreen sits in front of smtpd, and handles all incoming connections. It hands the "good" connections off to the real smtpd daemon. Amavisd-new (in both before/after-queue configurations) interacts with the real smtpd, so postscreen doesn't directly affect it at all. > > What was I talking about? > > With amavisd-new, a before-queue filter is generally nicer, because you can reject spam, notifying the sender, rather than discarding it or backscattering. But, amavisd-new is a hog, and with a before-queue filter, an amavis process gets used every time ANY connection is made. Since 95% of your connections will be crap (that is a technical term), you waste tons of resources creating/killing amavisd-new processes for botnets and other scum that will be rejected quickly. > > On a busy server, it will kill you. > > Postscreen only passes the "good" connections to a real smtpd, so with postscreen running, new amavis processes only get used for those good connections. If postscreen can get reject 90% of the incoming connections, you'll use an order of magnitude less resources doing before-queue filtering than you would without postscreen. > > So, in essence, postscreen is what allows you to run the before-queue filter with comparable resources to the after-queue filter. > Thanks for all the information. You really should write a wiki.g.o article about the new setup :-) Rgds, --f46d044287fcbefbf804b33ffa47 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable


On Dec 4, 2011 10:10 AM, "Michael Orlitzky" <michael@orlitzky.com> wrote:
>
> On 12/03/2011 09:48 PM, Pandu Poluan wrote:
>>
>>
>>
>> Thanks! Very helpful resources.
>>
>> You mentioned amavisd-new. What's their relationship? I mean, = if I
>> deploy postscreen, how will it affect amavisd-new?
>>
>
> Postscreen sits in front of smtpd, and handles all incoming connection= s. It hands the "good" connections off to the real smtpd daemon. = Amavisd-new (in both before/after-queue configurations) interacts with the = real smtpd, so postscreen doesn't directly affect it at all.
>
> What was I talking about?
>
> With amavisd-new, a before-queue filter is generally nicer, because yo= u can reject spam, notifying the sender, rather than discarding it or backs= cattering. But, amavisd-new is a hog, and with a before-queue filter, an am= avis process gets used every time ANY connection is made. Since 95% of your= connections will be crap (that is a technical term), you waste tons of res= ources creating/killing amavisd-new processes for botnets and other scum th= at will be rejected quickly.
>
> On a busy server, it will kill you.
>
> Postscreen only passes the "good" connections to a real smtp= d, so with postscreen running, new amavis processes only get used for those= good connections. If postscreen can get reject 90% of the incoming connect= ions, you'll use an order of magnitude less resources doing before-queu= e filtering than you would without postscreen.
>
> So, in essence, postscreen is what allows you to run the before-queue = filter with comparable resources to the after-queue filter.
>

Thanks for all the information. You really should write a wiki.g.o artic= le about the new setup :-)

Rgds,

--f46d044287fcbefbf804b33ffa47--