[CentOS] postfix tightening
Chris Mauritz
chrism at imntv.com
Fri Apr 1 21:26:46 UTC 2005
Personally, I reject mail from any server with broken DNS. It's
extremely low hanging fruit to avoid a lot of spam from zombie PCs in
Asia/Eastern Europe. You also might want to consider using the various
freely available RBL sites to eliminate known naughty hosts/networks.
After mail runs this gauntlet, I pass it through CRM114 and have reduced
the spam that makes it to my mailbox to a couple of messages a week.
Here's the relevant lines from my postfix config:
maps_rbl_reject_code = 571
smtpd_helo_required = yes
smtpd_delay_reject = no
allow_untrusted_routing = no
disable_vrfy_command = yes
#
maps_rbl_domains =
relays.ordb.org,
opm.blitzed.org,
list.dsbl.org,
sbl.spamhaus.org,
cbl.abuseat.org,
dul.dnsbl.sorbs.net
smtpd_recipient_restrictions =
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
permit_mynetworks,
reject_unauth_destination,
reject_maps_rbl,
permit
smtpd_data_restrictions =
reject_unauth_pipelining,
permit
stale_lock_time = 120
default_rbl_reply = $rbl_code Service denied; blocked
Good luck,
C
Craig White wrote:
>I am used to sendmail and am using Postfix now and am uncertain of some
>features. I typically would comment out the line in sendmail.mc that
>went something like 'accept unresolvable domains'
>
>I tried using
>
>smtpd_sender_restrictions =
> reject_unverified_sender
> reject_unverified_smtp
>
>and this seems a bit too restrictive and got some bounces on legitimate
>senders
>
>so I'm thinking that this is perhaps a bit more apropos...
>
>smtpd_helo_restrictions =
> permit_mynetworks,
> reject_invalid_hostname
>
>does this make sense?
>
>
>
More information about the CentOS
mailing list