Fedora Core 2 wishlists
Chris Adams
cmadams at hiwaay.net
Wed Dec 10 16:37:50 UTC 2003
Once upon a time, Chris Ricker <kaboom at gatech.edu> said:
> Okay. Postfix certainly doesn't support milter, though the equivalent can be
> done other ways. There have been noises about writing a milter-compatible
> extension to Postfix, but AFAIK no one's scratched that itch b/c so far it's
> just been easier to do things Postfix-style instead....
I've seen people talk about it a few times, but nobody has ever done it
(and I don't have the time to investigate it or do it myself).
> > Also, I have some heavily tuned custom configs. Can postfix allow
> > multiple DNSBLs to be merged into one (with different response code) to
> > cut down on DNS requests, and allow some to reject before RCPT TO and
> > some after?
>
> Assuming I'm following how you're doing this, yes.
What I do is this: to reduce DNS lookups and improve DNSBL performance,
I use rbldnsd (which would be a nice addition to FC, but I guess is more
of an Extras kind of thing). I merge all the DNSBLs I use into one zone
(we do some type of zone transfer for all of them), with a different IP
returned for each zone (i.e. an IP in the MAPS RBL returns 127.0.0.2, an
IP in the MAPS DUL returns 127.0.0.3, etc.). That way sendmail only has
to do one DNS lookup to get DNSBL information.
I also wrote a patch to the sendmail DNS map that allows it to use a
different set of nameservers for a DNS map, so sendmail doesn't even
talk to the normal nameservers for DNSBL info (this has been submitted
to sendmail, so hopefully it will show up in a future release).
I use sendmail's delay_checks feature so that not all addresses get spam
checking (postmaster and abuse don't for example), but I'm switching the
primary MXes to have some DNSBLs reject for all addresses (so virus
infected cable modem computers spewing spam get rejected sooner to lower
the load on the primaries; this will block postmaster and abuse on the
primaries but I won't do this on secondary MXes).
> Not that are as usable and any more secure. SSH alternatives that are open
> source are worse than OpenSSH. Other web servers don't support all the
> modules Apache does....
My point is that postfix is also not necessarily as usable as sendmail,
and I think sendmail's security is just about as good as anyone else's
these days.
--
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
More information about the fedora-devel-list
mailing list