[CentOS] postfix and spam, I am impressed

Nataraj incoming-centos at rjl.com
Tue Mar 13 05:06:07 UTC 2012


On 03/12/2012 09:08 PM, Ron Loftin wrote:
>
> I'm going to chuck in my 2 cents worth here, as I've been using Postfix
> as a first-line filter for some years now.
>
> All of the above suggestions are very useful.  The only point that I
> haven't seen in this thread is that mail server/filter configs are
> extremely user-dependent.  I started out with some of the more
> restrictive options discussed here, but I had to relax a few of them for
> the client involved.  It seems that they were doing business with some
> folks ( both customers and suppliers ) who were using poorly-configured
> mail servers, and some of the options given above can cause "legitimate"
> traffic from such poorly-configured servers to be rejected.
>
> In short, like you should do for any application, do the appropriate
> research so that you UNDERSTAND what the recommended options are doing
> for you ( or TO you ) and tailor your selection(s) to meet YOUR specific
> needs.  In the case of using Postfix to filter mail to reduce the
> inbound spam to an old, feature-poor mail server, it took some research
> and some experimenting with different recommendations to achieve the
> solution that met the needs of a particular user community.
>
> Like I said, this is just my $0.02 (US) worth.  Enjoy. ;^>
>

Yes, this is very much true.  It takes a bit of tuning to find the right
settings for each mail environment.  Turn things up too high and your
phone will ring off the hook with user complaints about rejecting mail
that they want to receive.  Fortunately you can define multiple
smtpd_restriction_classes and apply different policies by matching on
who the recipient, sender, client domain etc is.  An example would be:

NOTE THIS example is hypothetical, I don't suggest that anyone try to
use my extra_restrictive class on a production system without testing.

smtpd_restriction_classes = extra_restrictive, restrictive, permissive

extra_restrictive =
        reject_rbl_client dul.dnsbl.sorbs.net
        reject_rbl_client zen.spamhaus.org
        reject_rbl_client bl.spamcop.net
        reject_rbl_client hostkarma.junkemailfilter.com =127.0.0.2
        reject_rbl_client dnsbl.sorbs.net
        reject_rhsbl_sender whois.rfc-ignorant.org
        reject_rhsbl_sender postmaster.rfc-ignorant.org
        reject_rhsbl_sender abuse.rfc-ignorant.org
        reject_rhsbl_sender hostkarma.junkemailfilter.com=127.0.0.2
        reject_rbl_client l2.apews.org

restrictive =
        reject_rbl_client zen.spamhaus.org
        reject_rbl_client bl.spamcop.net

permissive =
        reject_rbl_client pbl.spamhaus.org

smtpd_recipient_restrictions =
        permit_sasl_authenticated
        permit_mynetworks
        check_recipient_access proxy:pgsql:/etc/postfix/vpm_recipient_access
##############################################
# NOTE: YOU MUST ALWAYS check for valid recipients before checking
# for sender exceptions, otherwise anyone who passes the
# sender exceptions will be allowed to use us as a relay.
##############################################
        check_sender_access hash:/etc/postfix/smtpd_sender_access
        check_recipient_access hash:/etc/postfix/smtpd_recipient_access
        check_policy_service unix:private/vpm-pfpolicy
        reject_unauth_destination



Then is smtpd_recipient_access I have:

domain1.com                restrictive
abuse at domain1.com    extra_restrictive
postmaster at domain1.com    extra_restrictive
registrar_domain_contact at domain1.com extra_restrictive
domain2.com                permissive


Nataraj





More information about the CentOS mailing list