[CentOS] postfix tightening

Craig White craigwhite at azapple.com
Fri Apr 1 21:35:14 UTC 2005


On Fri, 2005-04-01 at 16:26 -0500, Chris Mauritz wrote:
> Personally, I reject mail from any server with broken DNS.  It's 
> extremely low hanging fruit to avoid a lot of spam from zombie PCs in 
> Asia/Eastern Europe.  You also might want to consider using the various 
> freely available RBL sites to eliminate known naughty hosts/networks.  
> After mail runs this gauntlet, I pass it through CRM114 and have reduced 
> the spam that makes it to my mailbox to a couple of messages a week. 
> 
> Here's the relevant lines from my postfix config:
> 
> maps_rbl_reject_code = 571
> smtpd_helo_required = yes
> smtpd_delay_reject = no
> allow_untrusted_routing = no
> disable_vrfy_command = yes
> #
> maps_rbl_domains =
>         relays.ordb.org,
>         opm.blitzed.org,
>         list.dsbl.org,
>         sbl.spamhaus.org,
>         cbl.abuseat.org,
>         dul.dnsbl.sorbs.net
> 
> smtpd_recipient_restrictions =
>         reject_invalid_hostname,
>         reject_non_fqdn_hostname,
>         reject_non_fqdn_sender,
>         reject_non_fqdn_recipient,
>         reject_unknown_sender_domain,
>         reject_unknown_recipient_domain,
>         permit_mynetworks,
>         reject_unauth_destination,
>         reject_maps_rbl,
>         permit
> 
> smtpd_data_restrictions =
>         reject_unauth_pipelining,
>         permit
> 
> stale_lock_time = 120
> default_rbl_reply = $rbl_code Service denied; blocked
> 
----
wow - that's a pretty impressive list - curiously, no
smtpd_helo_restrictions but I am gathering that you figure that the
smtpd restrictions would cover that.

Is the above suitable for an office mail server or is this for one
person who is less concerned about fringe stuff that may get rejected?

Craig




More information about the CentOS mailing list