[CentOS] postfix tightening

[Chris Mauritz]

Personally, I reject mail from any server with broken DNS.  It's 
extremely low hanging fruit to avoid a lot of spam from zombie PCs in 
Asia/Eastern Europe.  You also might want to consider using the various 
freely available RBL sites to eliminate known naughty hosts/networks.  
After mail runs this gauntlet, I pass it through CRM114 and have reduced 
the spam that makes it to my mailbox to a couple of messages a week. 

Here's the relevant lines from my postfix config:

maps_rbl_reject_code = 571
smtpd_helo_required = yes
smtpd_delay_reject = no
allow_untrusted_routing = no
disable_vrfy_command = yes
#
maps_rbl_domains =
        relays.ordb.org,
        opm.blitzed.org,
        list.dsbl.org,
        sbl.spamhaus.org,
        cbl.abuseat.org,
        dul.dnsbl.sorbs.net

smtpd_recipient_restrictions =
        reject_invalid_hostname,
        reject_non_fqdn_hostname,
        reject_non_fqdn_sender,
        reject_non_fqdn_recipient,
        reject_unknown_sender_domain,
        reject_unknown_recipient_domain,
        permit_mynetworks,
        reject_unauth_destination,
        reject_maps_rbl,
        permit

smtpd_data_restrictions =
        reject_unauth_pipelining,
        permit

stale_lock_time = 120
default_rbl_reply = $rbl_code Service denied; blocked

Good luck,

C

Craig White wrote:

>I am used to sendmail and am using Postfix now and am uncertain of some
>features. I typically would comment out the line in sendmail.mc that
>went something like 'accept unresolvable domains'
>
>I tried using
>
>smtpd_sender_restrictions =
>       reject_unverified_sender
>       reject_unverified_smtp
>
>and this seems a bit too restrictive and got some bounces on legitimate
>senders
>
>so I'm thinking that this is perhaps a bit more apropos...
>
>smtpd_helo_restrictions = 
>	permit_mynetworks,
>	reject_invalid_hostname
>
>does this make sense?
>
>  
>