[pmg-devel] [RFC pmg-api/docs] minimal before queue filtering support
Stoiko Ivanov
s.ivanov at proxmox.com
Tue Nov 12 15:35:09 CET 2019
On Tue, 12 Nov 2019 15:16:09 +0100
Stoiko Ivanov <s.ivanov at proxmox.com> wrote:
> This patchset should eventually address a very often asked-for feature for PMG:
> before-queue filtering (apart from 1/4 for pmg-api, which is a tiny nit I
> caught by accident).
>
> Technically the work follows the postfix before queue content filtering howto
> [0], which makes it possible to scan before-queue without the need to implement
> a dedicated milter-protocol.
>
> pmg-smtp-filter (rather PMG::SMTP) already had a currently unused branch for
> handling SMTP connections (the current after-queue solution uses LMTP), which
> only needed a slight adaptation.
>
> Handling mails with single recepients now should work without any problems:
>
> * if the result of the rule-system is 'Block' pmg-smtp-filter rejects the mail
> with '554 5.7.1 Rejected for policy reasons' (the same response code
> postscreen uses for rbl-hits)
>
> * if the result is either 'Accept' or 'Quarantine' pmg-smtp-filter accepts the
> mail
>
> * if there's a problem in handing the mail back to postfix (10025) then the
> response is a temporary failure
>
> The situation is slightly more complicated (I'd say a general thing with SMTP)
> if one mail is to be delivered to multiple recepients:
>
> * if the rule-system 'Blocks' the mail for all recepients - the mail gets
> rejected (with 554)
>
> * if at least one recepient accepts the mail pmg-smtp-filter returns 250.
> Additionally in order to be compliant with the requirement some users have
> of never dropping mail, without notification, a bounce-message (NDR) is
> generated for all users, which 'Blocked' the message (if any).
> The sending of the NDR can be configured with a flag in pmg.conf (as can the
> activiation of before queue filtering).
> The different result for multiple users can probably happen in the default
> ruleset of PMG (by the User Black/Whitelist), or by (probably too) complicated
> rulesets.
>
> Given that the smtpd_proxy_filter is called quite late by the postfix pipeline
> PMG still profits from the protections by postscreen, the pmgpolicy service
> (greylisting, hard SPF evaluation).
>
> Things still missing in the RFC:
> * the bounces generated are not yet adapted to RFC 6533 (internationalized
> bounces when announcing SMTPUTF8 extension)
Forgot to mention that the log-tracker (and thus the tracking center) would
also need some adaptation (seems the match between postfix/qmgr and the initial
pmg-smtp-filter message is not working with the different logs from postfix
(there is no line with the message-id from qmgr)
However I would suggest to tackle that once the logtracker series from Mira is
accepted.
>
> Preliminary Tests:
> Given that replacing the postfix smtpd (and its queue) on the front-line by
> pmg-smtp-filter (which is not the fastest, since it does quite a lot (mostly
> run spamassassin analyze)) will have some effect on the behavior of the system
> I tried running 2 test-scenarios:
> * use 'postal' [1] for benchmarking:
> ** setup: `timeout 2m postal -M 25 -m 500 -t 10 -c 50 -f senders <pmg-ip> recepients`
> (run 10 threads each sending 50 mails before opening a new connection
> sending random text (short of the minimal set of headers) between 25k and
> 500k)
> ** the random data seems to be (probably not too much of a surprise) a rather
> bad case scenario for SpamAssassin (many complicated regex-matches for
> mail-text) - the processing time per mail was on average between 10s and
> 120s (99.99 % due to spamassassin)
> ** the throughput (mails actually going out of pmg) is roughly the same between
> before and after queue filtering
> ** with after-queue filtering 'postal' was (of course) able to deliver far
> more mails to PMG (2.5k in 120 seconds) - they were queued by postfix and
> would have been eventually delivered, but the output of PMG was the same
> (around 30-45)
>
> * queue up 3x500 mails (2 rather small testmails and 1 350k mail)
> in a postfix-queue (on a separate host while postfix is not running) and
> start postfix (the runtimes for analyzing these mails is far closer to what
> we see in production (<1s - 3s (the large mail))
> ** with this test-set the queue in the original postfix got emptied within
> 3 minutes (yielding about 8.3 mails/second on my test-installation)
>
>
> While looking around the extremely long time spamassassin took for the random
> data mails - I tried to precompile the spamassassin rules with sa-compile [2].
> Result:
> * on the random data quite a speedup was achieved (115 vs 45)
> * on the 3x500 the processing time did not change too much (if noticeable at
> all).
>
>
> Would be very grateful for feedback (especially suggestions for further testing
> which would make sense)
>
> [0] http://www.postfix.org/SMTPD_PROXY_README.html
> [1] https://esmtp.email/blog/2017/11/04/postal-benchmark/
> [2] https://cwiki.apache.org/confluence/display/spamassassin/FasterPerformance
>
> pmg-api:
> Stoiko Ivanov (4):
> add missing use MIME::Entity in PMG::Utils
> PMG::Config: refactor dns info collection
> add generate_ndr to PMG::SMTP
> add support for before queue filtering
>
> src/PMG/Config.pm | 42 +++++++++++++++----
> src/PMG/SMTP.pm | 85 ++++++++++++++++++++++++++++++++++----
> src/PMG/Utils.pm | 1 +
> src/templates/master.cf.in | 14 +++++++
> 4 files changed, 124 insertions(+), 18 deletions(-)
>
> pmg-docs:
> Stoiko Ivanov (1):
> add before_queue params to gen-pmg.conf.5.-opts.pl
>
> gen-pmg.conf.5-opts.pl | 2 ++
> 1 file changed, 2 insertions(+)
>
More information about the pmg-devel
mailing list