[CentOS] postfix and spam, I am impressed[Solution that works]

Nataraj incoming-centos at rjl.com
Tue Mar 13 13:17:32 EDT 2012


On 03/13/2012 04:21 AM, Bob Hoffman wrote:
> *Nataraj*
> /Tue Mar 13 02:01:36 EDT 2012/  wrote:
>
>> On 03/12/2012 10:06 PM, Nataraj wrote:
>>> /  On 03/12/2012 09:08 PM, Ron Loftin wrote:
> />>>/  I'm going to chuck in my 2 cents worth here, as I've been using Postfix
> />>>/  as a first-line filter for some years now.
> //
> />pbl.spamhaus.org (dynamic IP address RBL) is generally quite safe for
>> most sites to use from postfix.  The rest of the spamhaus RBL's such as
>> the combination that you get from zen.spamhaus.org are mostly safe
>> (better than all others that I've tried), but not 100%.   Most others
>> that I've tried I have gotten a fair number of false positives over time
>> (This includes dul.dnsbl.sorbs.net, the sorbs dynamic IP RBL).  Many
>> people feel that most other RBL's need to be used with a scoring
>> mechanism, such as that provided by spamassasin, instead of directly
> >from postfix to avoid getting too many false positives.
>
>> Nataraj
> I changed it a bit since then. I found that sleep 1, when talking to my other VM that had
> sleep 1, caused one mail to just get lost, so I dropped it.
>
> My brother travels a lot and I found the client restrictions would not allow him
> to send mail since the wi-fi he would connect to was not figured correctly causing
> 100% mail send failure. So I left client restrictions empty, but I force ssl and user auth
> only anyway.
Mobile clients should be authenticating to a relay that's not on any of
the dynamic lists and sending mail out through there.  Most sane mail
administrators do not accept mail directly from dynamic broadband/mobile
clients.
> for the rbl lists I tried to pick those that had a notice page and a remove page.
> This way a blocked user can try to figure out why.
Also anyone using rbl's should also review the RBL's policy.  Most RBL's
charge a license fee for high volume queries and will cut you off if you
violate their policy.
> Here is a bit from my logwatch, with 8 hours of non blocked spam and 16 hours since blocking it
> 6098 rejected, 429 accepted (most of those 429 were before the change)
> Since 12 noon yesterday I have received 17 junk mails, all but two tagged by spamasassin.
> BIG DIFFERENCE.
>
> Below is the logwatch section, followed by my final set up (at least so far).
Your logwatch format is very nice, that does not appear to be the
standard CentOS included logwatch.  Have you customized it alot yourself?

In any case, I used to have very large numbers in the category you
described, but since I started doing agressive blocking with fail2ban
(matching on repeated mail delivery failures), now I just completely
block all those with IPtables, so that postfix never sees them.  I have
not noticed any increase in user complaints since this happened.  And I
do notice that the majority of the offending IP addresses were from
asia, south america, eastern Europe, the middle east, etc.

Is this just a personal mail server or are you serving a large user base?
>
>     1.062M  Bytes accepted                         1,113,084
>   1007.732K  Bytes delivered                        1,031,918
>   ========   ================================================
>
>        429   Accepted                                   6.57%
>       6098   Rejected                                  93.43%
>   --------   ------------------------------------------------
>       6527   Total                                    100.00%
>   ========   ================================================
>
>          4   Reject relay denied                        0.07%
>        340   Reject HELO/EHLO                           5.58%
>       1749   Reject unknown user                       28.68%
>          1   Reject recipient address                   0.02%
>          3   Reject sender address                      0.05%
>       4001   Reject RBL                                65.61%
>   --------   ------------------------------------------------
>       6098   Total Rejects                            100.00%
>   ========   ================================================
>
>          8   4xx Reject relay denied                    0.84%
>        318   4xx Reject HELO/EHLO                      33.23%
>         39   4xx Reject unknown user                    4.08%
>         81   4xx Reject recipient address               8.46%
>        511   4xx Reject sender address                 53.40%
>   --------   ------------------------------------------------
>        957   Total 4xx Rejects                        100.00%
>   ========   ================================================
>
>       3534   Connections made
>        419   Connections lost
>       3533   Disconnections
>        429   Removed from queue
>        137   Delivered
>         10   Sent via SMTP
>          1   Bounce (remote)
>          1   DSNs undeliverable
>
>         22   Connection failure (outbound)
>         23   Timeout (inbound)
>          1   RBL lookup error
>         35   Excessive errors in SMTP commands dialog
>        802   Hostname verification errors
>         89   Address is deliverable (sendmail -bv)
>        194   Address is undeliverable (sendmail -bv)
>          4   Enabled PIX workaround
>          9   SASL authenticated messages
>
>          7   Postfix start
>          7   Postfix stop
>          4   Postfix refresh
>
>
>
> # for SMTP-Auth settings
>
> smtpd_sasl_type = dovecot
> smtpd_sasl_path = private/auth
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_security_options = noanonymous
> smtpd_sasl_local_domain = $myhostname
>
>
> smtpd_delay_reject = yes
> smtpd_helo_required = yes
>
> smtpd_client_restrictions = permit_mynetworks
>
> smtpd_helo_restrictions =
>      permit_mynetworks,
>      reject_non_fqdn_helo_hostname,
>      reject_invalid_helo_hostname
> 	
>
> smtpd_sender_restrictions =
>      permit_mynetworks,
>      reject_non_fqdn_sender,
>      reject_unknown_sender_domain
> 	
>
> smtpd_recipient_restrictions =
>      permit_mynetworks,
>      permit_sasl_authenticated,
>      reject_unauth_destination,
>      reject_unauth_pipelining,
>      reject_non_fqdn_recipient,
>      reject_unknown_recipient_domain,
>      reject_invalid_hostname,
>      reject_unknown_hostname,
>      reject_non_fqdn_hostname
>      reject_rbl_client zen.spamhaus.org,
>      reject_rbl_client truncate.gbudb.net,
>      reject_rbl_client dnsbl.njabl.org
>      reject_rbl_client cbl.abuseat.org
>      reject_rbl_client bl.spamcop.net,
>      reject_rbl_client dnsbl.sorbs.net,
>      reject_unverified_recipient
> 	
>
> smtpd_data_restrictions =
>       permit_mynetworks,
>       reject_multi_recipient_bounce
> 	
> smtpd_use_tls = yes
> smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem
> smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos



More information about the CentOS mailing list