IETF Logo Mail Archive

Re: [ietf-smtp] [Emailcore] Status of Greylisting (i'd wish MessageID were part of SMTP prologue)

Steffen Nurpmeso <steffen@sdaoden.eu> Sat, 08 January 2022 22:37 UTC

Return-Path: <steffen@sdaoden.eu>
X-Original-To: ietf-smtp@ietfa.amsl.com
Delivered-To: ietf-smtp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E8543A0ADF for <ietf-smtp@ietfa.amsl.com>; Sat, 8 Jan 2022 14:37:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FLk35kx5-oh4 for <ietf-smtp@ietfa.amsl.com>; Sat, 8 Jan 2022 14:37:50 -0800 (PST)
Received: from sdaoden.eu (sdaoden.eu [217.144.132.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 720333A0AD8 for <ietf-smtp@ietf.org>; Sat, 8 Jan 2022 14:37:49 -0800 (PST)
Received: from kent.sdaoden.eu (kent.sdaoden.eu [10.5.0.2]) by sdaoden.eu (Postfix) with ESMTPS id 4B22116057; Sat, 8 Jan 2022 23:37:46 +0100 (CET)
Received: by kent.sdaoden.eu (Postfix, from userid 1000) id CA6A62C35; Sat, 8 Jan 2022 23:37:43 +0100 (CET)
Date: Sat, 08 Jan 2022 23:37:43 +0100
Author: Steffen Nurpmeso <steffen@sdaoden.eu>
From: Steffen Nurpmeso <steffen@sdaoden.eu>
To: ietf-smtp@ietf.org
Message-ID: <20220108223743.3556w%steffen@sdaoden.eu>
In-Reply-To: <20220108212708.6C5A23472A52@ary.qy>
References: <20220108212708.6C5A23472A52@ary.qy>
Mail-Followup-To: ietf-smtp@ietf.org
User-Agent: s-nail v14.9.23-206-gfff8ce373d
OpenPGP: id=EE19E1C1F2F7054F8D3954D8308964B51883A0DD; url=https://ftp.sdaoden.eu/steffen.asc; preference=signencrypt
BlahBlahBlah: Any stupid boy can crush a beetle. But all the professors in the world can make no bugs.
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-smtp/_wRxxCcwMA4KHZ6jXNNTS2T_1rg>
Subject: Re: [ietf-smtp] [Emailcore] Status of Greylisting (i'd wish MessageID were part of SMTP prologue)
X-BeenThere: ietf-smtp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of issues related to Simple Mail Transfer Protocol \(SMTP\) \[RFC 821, RFC 2821, RFC 5321\]" <ietf-smtp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-smtp/>
List-Post: <mailto:ietf-smtp@ietf.org>
List-Help: <mailto:ietf-smtp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Jan 2022 22:37:56 -0000

John Levine wrote in
 <20220108212708.6C5A23472A52@ary.qy>:
 |It appears that Steffen Nurpmeso  <steffen@sdaoden.eu> said:
 |>I am only implementing a greylisting daemon, a standardized
 |>anti-spam aka anti-abuse policy, then further hopefully next week, ...
 |
 |Everyone I know who does greylisting with Postfix uses Postgrey,
 |available here:
 |
 |https://postgrey.schweikert.ch/
 |
 |Are you sure you need to reinvent this particular wheel?

Well, the answer is a bit lengthy, i know this software, and
i have perl on my server at the moment.  (Ever since lighttpd
suddenly stopped creating cgit output, and on the cgit list then
was no support at all even though maintainer of lighttpd correctly
pointed out that failing a sendfile(2) should be covered as per
"Applications may wish to fall back to read(2)/write(2) in the
case where sendfile() fails with EINVAL or ENOSYS", but the
provided patch did not even get a response ... the maintainer
as a kernel guru in some sense of guru seems to have known it is
a kernel bug, but no report was given to the kernel people until
someone finally stepped up .. anyhow it took months before the
very combination Linux / lighttpd / cgit resumed normal operation
without local effort, and one day i was no longer willing to and
fell back to gitweb that ships with git anyhow, .. which requires
perl.)

So that postgrey uses perl would be ok even though it uses quite
a bit of modules.  It uses BerkeleyDB, which is no longer free
software, version 5.3.28 is, aka
  Berkeley DB 11g Release 2, library version 11.2.5.3.28:
  (September 9, 2013)
as via [1], which is quite old.  But ok.  It however seems to use
what i call "[Chris ]Torek Hash", which faded a bit to grey when
facing possible real world attacks me thinks.  It is also very big
and slow, and imposes expensive locking.

  [1] http://www.oracle.com/technetwork/database/database-technologies/berkeleydb/

As an effort to restrict all my (easy non-SQL, and only those here
right now) DB use cases to only LMDB of the OpenLDAP project for
example i wrote an accepted patch for bogofilter(1) in 2018, and
by then these were the numbers

  | |> it is very small (the raw AlpineLinux code package is 90KB,
  | |> whereas DB is 1.6MB; the cloned repo is 1.2MB, whereas the 5.3.28
  | |> DB tar ball unpacked in git is 31MB), and the code is also open
  | |> and openly maintained.  And Postfix supports LMDB as a replacement
  | |> for DB out of the box, too.  All this is very desirable to me.
  | |
  | |Repo size of a support library isn't normally a relevant metric, but
  | |this is a valid point, as is its license:
  | |
  | |   text          data     bss     dec     hex filename
  | |  80510          1504       8   82022   14066 /usr/lib64/liblmdb.so
  |
  |Runtime is much smaller here, too:
  |
  |  #?0[steffen@essex nail.git]$ size /usr/lib/liblmdb.so
  |     text    data     bss     dec     hex filename
  |    69680    1344      80   71104   115c0 /usr/lib/liblmdb.so
  |  #?0[steffen@essex nail.git]$ size /usr/lib/libdb.so
  |     text    data     bss     dec     hex filename
  |  1549515   38744      64 1588323  183c63 /usr/lib/libdb.so

(It does not support VACUUM or any such, therefore i dump-out and
recreate these DBs in such heavy use cases once a month
.. automatically.)  Very, very fast and minimal overhead.

But in fact all this is part of an effort to replace the
end-of-life Python2 Mailman2 with something homegrown.
I initially planned to use the policy server to whitelist
subscribers fast, for example.  That it also should do regular
greylisting was not the first use case.  However, in the meantime
i added regular use cases for a postfix configuration

   check_sender_access lmdb:/etc/postfix-lmdb/sender_access,

before the envisioned check_policy_service, which made this less
desirable, because LMDB uses fast read/write locks (or what i do
not like, "robust" mutexes) if available, and then even very fast
unix(7) communication will likely be outperformed.
However, maybe that will be replaced by whitelist on the policy
server side (again).
It will use SipHash for its all-in-memory dictionaries.

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

v2.23.0 | Report a Bug | By Email