[CentOS] postfix and spam, I am impressed

Ron Loftin reloftin at twcny.rr.com
Tue Mar 13 00:08:00 EDT 2012


On Mon, 2012-03-12 at 23:15 +0100, Patrick Lists wrote:
> On 12-03-12 22:12, Bob Hoffman wrote:
> [snip]
> > Not sure if this setup is perfect, but it is working quite well. Yes,
> > the mail takes a few seconds longer and there is probably more I could
> > do, but this ROCKS!!!
> 
> Totally agree. I'm definitely not a postfix expert but below I have 
> listed some rules I have in my config.
> 
> > smtpd_delay_reject = yes
> > smtpd_helo_required = yes
> 
> I also have:
> disable_vrfy_command = yes
> strict_rfc821_envelopes = yes
> 
> > smtpd_client_restrictions = permit_mynetworks,permit
> 
> In smtpd_client_restrictions I have:
> 
> smtpd_client_restrictions =
> 	permit_mynetworks,
> 	permit_sasl_authenticated,
> 	reject_unknown_reverse_client_hostname,
> 	check_client_access pcre:/etc/postfix/dynamic_ip_client_block,
> 	reject_rbl_client bl.spameatingmonkey.net,
> 	reject_rhsbl_sender uribl.spameatingmonkey.net,
> 	reject_rhsbl_client uribl.spameatingmonkey.net,
> 	reject_rhsbl_sender urired.spameatingmonkey.net,
> 	reject_rhsbl_client urired.spameatingmonkey.net,
> 	reject_rbl_client zen.spamhaus.org
> 
> The dynamic IP client list is quite effective. You can get the file:
> wget -v http://www.hardwarefreak.com/fqrdns.pcre
> 
> 
> > smtpd_helo_restrictions =
> >       permit_mynetworks,
> >       reject_non_fqdn_helo_hostname,
> >       reject_invalid_helo_hostname,
> >       permit
> >
> > smtpd_sender_restrictions =
> >       permit_mynetworks,
> >       reject_non_fqdn_sender,
> >       reject_unknown_sender_domain,
> >       permit
> 
> In smtpd_sender_restrictions I also use
> 
> 	reject_rhsbl_sender fresh15.spameatingmonkey.net
> 
> 
> > smtpd_recipient_restrictions =
> >       reject_non_fqdn_recipient,
> >       reject_unknown_recipient_domain,
> >       permit_mynetworks,
> >       permit_sasl_authenticated,
> >       reject_unauth_destination,
> >       reject_invalid_hostname,
> >       reject_unauth_pipelining,
> >       reject_rbl_client zen.spamhaus.org,
> >       reject_rbl_client truncate.gbudb.net,
> >       reject_rbl_client dnsbl.njabl.org
> >       reject_rbl_client cbl.abuseat.org
> >       reject_rbl_client bl.spamcop.net,
> >       reject_rbl_client dnsbl.sorbs.net,
> >       sleep 1,
> >        permit
> >
> > smtpd_data_restrictions =
> >        permit_mynetworks,
> >        reject_multi_recipient_bounce,
> >       permit
> 
> Not sure if these rules are correct. I only have
> 
> smtpd_data_restrictions =
> 	reject_unauth_pipelining
> 
> On my CentOS 5 box I don't user "permit" at all.
> 
> Regards,
> Patrick
> _______________________________________________

I'm going to chuck in my 2 cents worth here, as I've been using Postfix
as a first-line filter for some years now.

All of the above suggestions are very useful.  The only point that I
haven't seen in this thread is that mail server/filter configs are
extremely user-dependent.  I started out with some of the more
restrictive options discussed here, but I had to relax a few of them for
the client involved.  It seems that they were doing business with some
folks ( both customers and suppliers ) who were using poorly-configured
mail servers, and some of the options given above can cause "legitimate"
traffic from such poorly-configured servers to be rejected.

In short, like you should do for any application, do the appropriate
research so that you UNDERSTAND what the recommended options are doing
for you ( or TO you ) and tailor your selection(s) to meet YOUR specific
needs.  In the case of using Postfix to filter mail to reduce the
inbound spam to an old, feature-poor mail server, it took some research
and some experimenting with different recommendations to achieve the
solution that met the needs of a particular user community.

Like I said, this is just my $0.02 (US) worth.  Enjoy. ;^>

-- 
Ron Loftin                      reloftin at twcny.rr.com

"God, root, what is difference ?"       Piter from UserFriendly



More information about the CentOS mailing list