[vox-tech] Test/Upgrade

Rick Moen rick at linuxmafia.com
Thu Jan 10 00:24:13 PST 2019


Quoting Bill Broadley (bill at broadley.org):

> Do you really think lugod's new mail server should be some weird conglomoration of upstream source,
> and out of tree patches?
> 
> That's batshit insane in my book.

Fortunately, I nowhere suggested that.  Not intending to complain, and I
gladly acknoledge that we have the best of intentions in this
conversation and both have a sincere desire to help LUGOD, but this is
the second time consecutively that I've pointed out that Boggis's ideas
in his EximConfig tarball can and should be implemented with packaged
software only and standard sysadmin work on conffiles, etc., for
purposes of integration.

> More details below.

Apologies, good sir, but it's late, I've had a very long day and am
tired, and therefore will merely attempt in all benevolence to cut to te
chase.

Boggis's tarball (and I'll speak from memory, here, so pardon a small
amount of vagueness) is targeted primarily at Debian sysadmins and
provides directions for which Debian binary packages to installto
construct a highly effective MTA + antispam system built around the
exim4-daemon-heavy package, the sa-exim package originally written by
Marc Merlin, the spamassassin package, one or two packages related to
SPF, and optional binary-packaged components that can be included to
carry out greylisting, teergrubing (keeping records in MySQL), and
probably a couple of other optional angles I'm not quite recalling.  It
also provides a set of Exim4 conffile snippets that unpack directly into
the /etc/exim4 tree and integrate into the Debian-style many-fragments
configuration structure that Debian package devs seem to like so much
(viz.  /etc/apache2/* and all its pieces), where the intent is to ensure
smooth future upgrades of the distro packages (in this case,
exim4-daemon-heavy and sa-exim) without anything breaking, segregating
out local configuration as separate from what is replaced during
upgrade.  Likewise provided as working examples are controls exposed 
for tweaking all of this.  (See tarball contents.)

Part of what is distinctively good about the architecture Boggis
describes with the cited packages as an example is that it does most of
the heavy antispam lifting using MTA rulesets, a working Exim4 set of
which are provided.  This is critical to limiting RAM and CPU splurging,
because MTA rules are typically implemented using C code (hence small
and fast), so there's a huge amount of benefit in rejecting 95+% of
arriving spam using MTA rules before handing off the SMTP bitstream to a
ponderous, slow Perl daemon (spamd) to measure the spamicity of the
remaining 5%.  Boggis provides some truly clever MTA rules such as te
'callout' ones that test whether the delivering remote MTA is operating
in an RFC-compliant manner _prior_ to accepting the mail with 250
Accept. 

The role of sa-exim is also key in Boggis's example, in that Marc
Merlin's code enables (likewise) a consultation by the MTA to spamd to 
measure spamicity prior to the MTA deciding whether to say 250 Accept or
550 Die spammer die or 450 Please stick around while I greylist you.
Among several advantages is that this decision-making _during_ the
ongoing SMTP conversation prevents any possibility of creating
backscatter spam.

Now, the working files drop straight into Debian's _exim4_ setup,
whereas many sysadmins would prefer to use Postfix, or Courier-MTA, or
(God help you) qmail.  Fine.  This doesn't permit the drop-in
functionality the way you can just unpack the stuff Boggis intends for
the /etc/exim4 tree and have it Just Work{tm} effortlessly, _but_ all of
Boggis's excellent ideas are right there to study and implement as you
desire in whatever packaged MTA the sysadmin prefers.

More can be easily learned by having a look at Boggis's documentation
and his tarball.   (I will mention once again that the tarball is _not_
a tarball of software, but rather of MTA rules and conffile snippets,
etc.)  Or, of course, if readers already think they have the whole thing
covered and have nothing to learn from Boggis and Merlin's work, they
can bag it and do something else.

OK, then?

I'm sorry, and intend no offence, but I'm going to assume (so I can
hurry up and get to sleep) that the above covers what needs to be said,
ergo I'm not going to read the rest of your post at this time.  If
there's something significant you think I really ought to read, I would
welcome your telling me so.



More information about the vox-tech mailing list