[CentOS] postfix and spam, I am impressed
Nataraj
incoming-centos at rjl.com
Tue Mar 13 05:06:07 UTC 2012
On 03/12/2012 09:08 PM, Ron Loftin wrote:
>
> I'm going to chuck in my 2 cents worth here, as I've been using Postfix
> as a first-line filter for some years now.
>
> All of the above suggestions are very useful. The only point that I
> haven't seen in this thread is that mail server/filter configs are
> extremely user-dependent. I started out with some of the more
> restrictive options discussed here, but I had to relax a few of them for
> the client involved. It seems that they were doing business with some
> folks ( both customers and suppliers ) who were using poorly-configured
> mail servers, and some of the options given above can cause "legitimate"
> traffic from such poorly-configured servers to be rejected.
>
> In short, like you should do for any application, do the appropriate
> research so that you UNDERSTAND what the recommended options are doing
> for you ( or TO you ) and tailor your selection(s) to meet YOUR specific
> needs. In the case of using Postfix to filter mail to reduce the
> inbound spam to an old, feature-poor mail server, it took some research
> and some experimenting with different recommendations to achieve the
> solution that met the needs of a particular user community.
>
> Like I said, this is just my $0.02 (US) worth. Enjoy. ;^>
>
Yes, this is very much true. It takes a bit of tuning to find the right
settings for each mail environment. Turn things up too high and your
phone will ring off the hook with user complaints about rejecting mail
that they want to receive. Fortunately you can define multiple
smtpd_restriction_classes and apply different policies by matching on
who the recipient, sender, client domain etc is. An example would be:
NOTE THIS example is hypothetical, I don't suggest that anyone try to
use my extra_restrictive class on a production system without testing.
smtpd_restriction_classes = extra_restrictive, restrictive, permissive
extra_restrictive =
reject_rbl_client dul.dnsbl.sorbs.net
reject_rbl_client zen.spamhaus.org
reject_rbl_client bl.spamcop.net
reject_rbl_client hostkarma.junkemailfilter.com =127.0.0.2
reject_rbl_client dnsbl.sorbs.net
reject_rhsbl_sender whois.rfc-ignorant.org
reject_rhsbl_sender postmaster.rfc-ignorant.org
reject_rhsbl_sender abuse.rfc-ignorant.org
reject_rhsbl_sender hostkarma.junkemailfilter.com=127.0.0.2
reject_rbl_client l2.apews.org
restrictive =
reject_rbl_client zen.spamhaus.org
reject_rbl_client bl.spamcop.net
permissive =
reject_rbl_client pbl.spamhaus.org
smtpd_recipient_restrictions =
permit_sasl_authenticated
permit_mynetworks
check_recipient_access proxy:pgsql:/etc/postfix/vpm_recipient_access
##############################################
# NOTE: YOU MUST ALWAYS check for valid recipients before checking
# for sender exceptions, otherwise anyone who passes the
# sender exceptions will be allowed to use us as a relay.
##############################################
check_sender_access hash:/etc/postfix/smtpd_sender_access
check_recipient_access hash:/etc/postfix/smtpd_recipient_access
check_policy_service unix:private/vpm-pfpolicy
reject_unauth_destination
Then is smtpd_recipient_access I have:
domain1.com restrictive
abuse at domain1.com extra_restrictive
postmaster at domain1.com extra_restrictive
registrar_domain_contact at domain1.com extra_restrictive
domain2.com permissive
Nataraj
More information about the CentOS
mailing list