[CentOS] postfix and spam, I am impressed

Patrick Lists centos-list at puzzled.xs4all.nl
Mon Mar 12 18:15:45 EDT 2012


On 12-03-12 22:12, Bob Hoffman wrote:
[snip]
> Not sure if this setup is perfect, but it is working quite well. Yes,
> the mail takes a few seconds longer and there is probably more I could
> do, but this ROCKS!!!

Totally agree. I'm definitely not a postfix expert but below I have 
listed some rules I have in my config.

> smtpd_delay_reject = yes
> smtpd_helo_required = yes

I also have:
disable_vrfy_command = yes
strict_rfc821_envelopes = yes

> smtpd_client_restrictions = permit_mynetworks,permit

In smtpd_client_restrictions I have:

smtpd_client_restrictions =
	permit_mynetworks,
	permit_sasl_authenticated,
	reject_unknown_reverse_client_hostname,
	check_client_access pcre:/etc/postfix/dynamic_ip_client_block,
	reject_rbl_client bl.spameatingmonkey.net,
	reject_rhsbl_sender uribl.spameatingmonkey.net,
	reject_rhsbl_client uribl.spameatingmonkey.net,
	reject_rhsbl_sender urired.spameatingmonkey.net,
	reject_rhsbl_client urired.spameatingmonkey.net,
	reject_rbl_client zen.spamhaus.org

The dynamic IP client list is quite effective. You can get the file:
wget -v http://www.hardwarefreak.com/fqrdns.pcre


> smtpd_helo_restrictions =
>       permit_mynetworks,
>       reject_non_fqdn_helo_hostname,
>       reject_invalid_helo_hostname,
>       permit
>
> smtpd_sender_restrictions =
>       permit_mynetworks,
>       reject_non_fqdn_sender,
>       reject_unknown_sender_domain,
>       permit

In smtpd_sender_restrictions I also use

	reject_rhsbl_sender fresh15.spameatingmonkey.net


> smtpd_recipient_restrictions =
>       reject_non_fqdn_recipient,
>       reject_unknown_recipient_domain,
>       permit_mynetworks,
>       permit_sasl_authenticated,
>       reject_unauth_destination,
>       reject_invalid_hostname,
>       reject_unauth_pipelining,
>       reject_rbl_client zen.spamhaus.org,
>       reject_rbl_client truncate.gbudb.net,
>       reject_rbl_client dnsbl.njabl.org
>       reject_rbl_client cbl.abuseat.org
>       reject_rbl_client bl.spamcop.net,
>       reject_rbl_client dnsbl.sorbs.net,
>       sleep 1,
>        permit
>
> smtpd_data_restrictions =
>        permit_mynetworks,
>        reject_multi_recipient_bounce,
>       permit

Not sure if these rules are correct. I only have

smtpd_data_restrictions =
	reject_unauth_pipelining

On my CentOS 5 box I don't user "permit" at all.

Regards,
Patrick


More information about the CentOS mailing list