[CentOS] postfix and spam, I am impressed
Ron Loftin
reloftin at twcny.rr.com
Tue Mar 13 04:08:00 UTC 2012
On Mon, 2012-03-12 at 23:15 +0100, Patrick Lists wrote:
> On 12-03-12 22:12, Bob Hoffman wrote:
> [snip]
> > Not sure if this setup is perfect, but it is working quite well. Yes,
> > the mail takes a few seconds longer and there is probably more I could
> > do, but this ROCKS!!!
>
> Totally agree. I'm definitely not a postfix expert but below I have
> listed some rules I have in my config.
>
> > smtpd_delay_reject = yes
> > smtpd_helo_required = yes
>
> I also have:
> disable_vrfy_command = yes
> strict_rfc821_envelopes = yes
>
> > smtpd_client_restrictions = permit_mynetworks,permit
>
> In smtpd_client_restrictions I have:
>
> smtpd_client_restrictions =
> permit_mynetworks,
> permit_sasl_authenticated,
> reject_unknown_reverse_client_hostname,
> check_client_access pcre:/etc/postfix/dynamic_ip_client_block,
> reject_rbl_client bl.spameatingmonkey.net,
> reject_rhsbl_sender uribl.spameatingmonkey.net,
> reject_rhsbl_client uribl.spameatingmonkey.net,
> reject_rhsbl_sender urired.spameatingmonkey.net,
> reject_rhsbl_client urired.spameatingmonkey.net,
> reject_rbl_client zen.spamhaus.org
>
> The dynamic IP client list is quite effective. You can get the file:
> wget -v http://www.hardwarefreak.com/fqrdns.pcre
>
>
> > smtpd_helo_restrictions =
> > permit_mynetworks,
> > reject_non_fqdn_helo_hostname,
> > reject_invalid_helo_hostname,
> > permit
> >
> > smtpd_sender_restrictions =
> > permit_mynetworks,
> > reject_non_fqdn_sender,
> > reject_unknown_sender_domain,
> > permit
>
> In smtpd_sender_restrictions I also use
>
> reject_rhsbl_sender fresh15.spameatingmonkey.net
>
>
> > smtpd_recipient_restrictions =
> > reject_non_fqdn_recipient,
> > reject_unknown_recipient_domain,
> > permit_mynetworks,
> > permit_sasl_authenticated,
> > reject_unauth_destination,
> > reject_invalid_hostname,
> > reject_unauth_pipelining,
> > reject_rbl_client zen.spamhaus.org,
> > reject_rbl_client truncate.gbudb.net,
> > reject_rbl_client dnsbl.njabl.org
> > reject_rbl_client cbl.abuseat.org
> > reject_rbl_client bl.spamcop.net,
> > reject_rbl_client dnsbl.sorbs.net,
> > sleep 1,
> > permit
> >
> > smtpd_data_restrictions =
> > permit_mynetworks,
> > reject_multi_recipient_bounce,
> > permit
>
> Not sure if these rules are correct. I only have
>
> smtpd_data_restrictions =
> reject_unauth_pipelining
>
> On my CentOS 5 box I don't user "permit" at all.
>
> Regards,
> Patrick
> _______________________________________________
I'm going to chuck in my 2 cents worth here, as I've been using Postfix
as a first-line filter for some years now.
All of the above suggestions are very useful. The only point that I
haven't seen in this thread is that mail server/filter configs are
extremely user-dependent. I started out with some of the more
restrictive options discussed here, but I had to relax a few of them for
the client involved. It seems that they were doing business with some
folks ( both customers and suppliers ) who were using poorly-configured
mail servers, and some of the options given above can cause "legitimate"
traffic from such poorly-configured servers to be rejected.
In short, like you should do for any application, do the appropriate
research so that you UNDERSTAND what the recommended options are doing
for you ( or TO you ) and tailor your selection(s) to meet YOUR specific
needs. In the case of using Postfix to filter mail to reduce the
inbound spam to an old, feature-poor mail server, it took some research
and some experimenting with different recommendations to achieve the
solution that met the needs of a particular user community.
Like I said, this is just my $0.02 (US) worth. Enjoy. ;^>
--
Ron Loftin reloftin at twcny.rr.com
"God, root, what is difference ?" Piter from UserFriendly
More information about the CentOS
mailing list