OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: fqrdns.pcre

From: Stan Hoeppner (stanhardwarefreak.com)
Date: Wed Dec 08 2010 - 00:52:05 CST


Paul Cartwright put forth on 12/7/2010 2:56 PM:
> On 12/07/2010 02:30 PM, Stan Hoeppner wrote:
>> Everyone's mileage varies. If you're having good results with Postgrey
>> you should try the fqrdns.pcre file that I recommended in the thread you
>> replied to. You'll likely see very quickly why greylisting is redundant
>> while using that file.
>
> I downloaded that file, fqrdns.pcre & added it to main.cf
>
> I looked up the HOW-TO on this, and see where it is added to main.cf ( I
> did), but I don't see any output/error for this, how do you monitor its
> useage ? would it just give you a log entry in /var/log/maillog?

I just added installation/usage instructions to the top of the file
yesterday. As mouss stated, you'll see an entry in your mail log file
with detailed optional text, usually identifying the ISP by name.
Pflogsumm or logwatch can help you easily see what's going on with
Postfix by creating log summaries and statistics.

> this is what I added:
> smtpd_recipient_restrictions = permit_mynetworks
> permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client
> dnsbl.sorbs.net, reject_rbl_client zen.spamhaus.org, reject_rhsbl_sender
> dbl.spamhaus.org reject_rhsbl_helo dbl.spamhaus.org,
> reject_unknown_sender_domain,reject_unknown_recipient_domain,
> reject_non_fqdn_sender,
> reject_non_fqdn_recipient,check_reverse_client_hostname_access
> pcre:/etc/postfix/fqrdns.pcre

You should have

check_reverse_client_hostname_access pcre:/etc/postfix/fqrdns.pcre

as the _first_ entry after reject_unauth_destination. Why perform all
of those expensive DNS lookups if they aren't going to fire, and then
search a 1600 line PCRE table which takes a tenth of a second? Always
implement the least costly parameters first, the most costly last. The
exception to this rule is correct order processing of whitelists. They
can be more expensive, but they have to go at the top of the order.

Keep in mind the parameter you're using only works in Postfix 2.6 or
later. If you're on 2.5 or earlier, you need to use

check_client_access pcre:/etc/postfix/fqrdns.pcre

instead.

--
Stan