#haraka

anyone have a recommended DNSBL zone list to use?

if you used only one, barracudacentral

out of these, it has the most hits *and* fewest false positives: b.barracudacentral.org, truncate.gbudb.net, cbl.abuseat.org, psbl.surriel.com, bl.spamcop.net, dnsbl-1.uceprotect.net, pbl.spamhaus.org, xbl.spamhaus.org, dnsbl.sorbs.net

yeah i am using that and zen.spamhaus.org

yeah, zen is good too

weir, my early_talker isn' working

I have it disabled right now, something about it is broken

ohh, thats a shame

fixed it :-)

yeah?

it won't run if you are relaying

which i am doing

that's reasonable enough...

it only does it for the DATA command, i am thinking of having it for every command

to really piss of the spammers

the reason not to do that is PIPELINING

true

maybe just the help and then the data one would be okay then

do you see any problems with having a 10sec delay for help and data?

helo*

nope, I often do

that's what karma's tarpit feature does

the poorer quality the connection, the longer it takes

high quality connections fly through with no delays

actually i am going to do connect and data

so they get no response for 10d, more likelyy to stop spam say

10s

tarpits (connections that take > 1 minute) combined with connection limits (1 concurrent connection per bad IP) really helps limit how much spam gets through for "warm" IPs that are starting their spam runs and aren't DNSBL listed yet

that karma looks complicated

somewhat...

at it's heart, it's merely a scoring engine.

the complicated part is figuring out what tokens in the message / connection are the most reliable spam indicators

and then assigning them appropriate scores

after that, it's all easy peasy.

not sure how to use it with my custom plugins

with karma, no other plugins are allowed to block the connection

other plugins save their results, and the results are scored by karma

i have a custom plugins tho that send deny replies

so your saying i can't do that

sure you can

that's a "general" rule

karma has a deny_excludes section

because normally it "catches" deny attempts

so you can let your custom deny do its thing

At some point I'll have my own custom deny plugin as well

that links to https://mail.theartfarm.com/haraka/ -> Why Blocked

okay, so i add my custom deny plugins to the exclude list

yup

and i enable all these other check plugins that karma uses

right, with deny=false settings, where the plugins have them

most do, b/c I added them.

do i have to pass anything special from my plugins to the notes?

you do if you want karma to score stuff from it

and it has to run of a redis server

never setup one of those before

It's very easy

hmm, because i have 3 receiving mail servers. i wonder if okay to run each karma on it's own redis server

you can, but I'd point 'em all at the same one

redis is very fast (~50,000 qps)

but what if reds server goes down. what does karma do then?

there's no backup redis yet. Hasn't been a need yet.

it'll probably happen when I want to use redis in cluster mode

with automatic failover

On a dozen servers with karma, I've had exactly one issue (server in TX lost power during the flooding)

i have mail servers in different countries so i am a bit worried if the connection to the reds can't be made

on that one, Redis db was corrupted by power outage. Easy, delete the DB and restart.

then have local redis on each host

yeah, i think thats going to be the best option

Redis works splendidly locally, but I'm still eying this for the future: http://redis.io/topics/cluster-tutorial

looks good

so you just install it and wolf

no need to setup tables or anything

right

what I really wish was that Redis Cluster was more like Elasticsearch: write to any Redis server, data is automatically sharded across servers, connect/read from any server, and the ability to lose any server without data loss because there's always a copy on another server.

yeah that would be nice

kinda what i have with mariadb

yeah, with master-master replication?

that works really well, except when replication breaks

using galleria cluster

ah yes: synchronous multi-master

what version of redis you using?

same as mysql master-master

heh, don't know. I'd just grab the latest

in my case: pkg install redis

yum is only giving me 2.4 for some reason

that'll be fine

ultimatt: get a signed cert for the hostname of the haraka server and put it and key file in /usr/local/haraka/config/

correct?

yes

how to tell if the cert is good?

connect to it

i mean apachectl for example will choke if not good

ok

so will haraka if format is wrong

i have to find that connect command

after putting files there.. /usr/local/etc/rc.d/haraka restart

no issues

ok connected with openssl s_client -connect host.domain.tld:993 but how to tell if that cert is good?

Verify return code: 18 (self signed certificate) ???

i put valid cert there

not self signed

hmmm, how would karma go with my grey listing plugin i wonder

you'll want to let greylist denysoft to pass

(add to exclude list)

although, karma lets temp deny pass by default

so come to think of it, you shouldn't need to do anythign

does karma have a list i can add an ip to ignore. my haproxy ip

it does not

karma scores based on other plugins

...mostly

hmmm changed the delay=5 but didn't seem to delay it

i think i still want to delay even known good clients

edit exports.apply_tarpit

and add: 'return 5;' at the top of it

actualy, add that after the utils.in_array line

else you'll have issues

sorry: plugin.tarpit_delay

that's the one you want to add that line to the top of, it determines how long to wait

in karma.js ?

yes

i must have an older version then

then it won't take karma score into account

maybe...

if you're running the latest Haraka version, certainly

grab the latest from master

it's also simpler

:-)

all good, i changed the code in my version :-)

ahh tarpit does every reply hammy

so please correct me on this

...

if i have a plugin.... nywhitelistplugin

and that plug passes next()

and then in karma under awards. i put a rule...

nywhitelistplugin = 5

nothing

nywhitelistplugin has to save some data somewhere

either in result_store (connection.results.add(plugin, { fail: 'oops, failed test' });

or in connection/transaction note: connection.notes.nywhitelistplugin.argggg=yes

i getca

and then, in karma.ini, you have a match rule that assigns karma points

notes.nywhitelistplugin.argggg=yes = -3 if equals

or

results.fail.oops = -3 if match