On 03/13/2012 04:21 AM, Bob Hoffman wrote:
*Nataraj* /Tue Mar 13 02:01:36 EDT 2012/ wrote:
On 03/12/2012 10:06 PM, Nataraj wrote:
/ On 03/12/2012 09:08 PM, Ron Loftin wrote:
/>>>/ I'm going to chuck in my 2 cents worth here, as I've been using Postfix />>>/ as a first-line filter for some years now. // />pbl.spamhaus.org (dynamic IP address RBL) is generally quite safe for
most sites to use from postfix. The rest of the spamhaus RBL's such as the combination that you get from zen.spamhaus.org are mostly safe (better than all others that I've tried), but not 100%. Most others that I've tried I have gotten a fair number of false positives over time (This includes dul.dnsbl.sorbs.net, the sorbs dynamic IP RBL). Many people feel that most other RBL's need to be used with a scoring mechanism, such as that provided by spamassasin, instead of directly from postfix to avoid getting too many false positives.
Nataraj
I changed it a bit since then. I found that sleep 1, when talking to my other VM that had sleep 1, caused one mail to just get lost, so I dropped it.
My brother travels a lot and I found the client restrictions would not allow him to send mail since the wi-fi he would connect to was not figured correctly causing 100% mail send failure. So I left client restrictions empty, but I force ssl and user auth only anyway.
Mobile clients should be authenticating to a relay that's not on any of the dynamic lists and sending mail out through there. Most sane mail administrators do not accept mail directly from dynamic broadband/mobile clients.
for the rbl lists I tried to pick those that had a notice page and a remove page. This way a blocked user can try to figure out why.
Also anyone using rbl's should also review the RBL's policy. Most RBL's charge a license fee for high volume queries and will cut you off if you violate their policy.
Here is a bit from my logwatch, with 8 hours of non blocked spam and 16 hours since blocking it 6098 rejected, 429 accepted (most of those 429 were before the change) Since 12 noon yesterday I have received 17 junk mails, all but two tagged by spamasassin. BIG DIFFERENCE.
Below is the logwatch section, followed by my final set up (at least so far).
Your logwatch format is very nice, that does not appear to be the standard CentOS included logwatch. Have you customized it alot yourself?
In any case, I used to have very large numbers in the category you described, but since I started doing agressive blocking with fail2ban (matching on repeated mail delivery failures), now I just completely block all those with IPtables, so that postfix never sees them. I have not noticed any increase in user complaints since this happened. And I do notice that the majority of the offending IP addresses were from asia, south america, eastern Europe, the middle east, etc.
Is this just a personal mail server or are you serving a large user base?
1.062M Bytes accepted 1,113,084
1007.732K Bytes delivered 1,031,918 ======== ================================================
429 Accepted 6.57% 6098 Rejected 93.43%
6527 Total 100.00%
======== ================================================
4 Reject relay denied 0.07% 340 Reject HELO/EHLO 5.58% 1749 Reject unknown user 28.68% 1 Reject recipient address 0.02% 3 Reject sender address 0.05% 4001 Reject RBL 65.61%
6098 Total Rejects 100.00%
======== ================================================
8 4xx Reject relay denied 0.84% 318 4xx Reject HELO/EHLO 33.23% 39 4xx Reject unknown user 4.08% 81 4xx Reject recipient address 8.46% 511 4xx Reject sender address 53.40%
957 Total 4xx Rejects 100.00%
======== ================================================
3534 Connections made 419 Connections lost 3533 Disconnections 429 Removed from queue 137 Delivered 10 Sent via SMTP 1 Bounce (remote) 1 DSNs undeliverable 22 Connection failure (outbound) 23 Timeout (inbound) 1 RBL lookup error 35 Excessive errors in SMTP commands dialog 802 Hostname verification errors 89 Address is deliverable (sendmail -bv) 194 Address is undeliverable (sendmail -bv) 4 Enabled PIX workaround 9 SASL authenticated messages 7 Postfix start 7 Postfix stop 4 Postfix refresh
# for SMTP-Auth settings
smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = $myhostname
smtpd_delay_reject = yes smtpd_helo_required = yes
smtpd_client_restrictions = permit_mynetworks
smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname
smtpd_sender_restrictions = permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_invalid_hostname, reject_unknown_hostname, reject_non_fqdn_hostname reject_rbl_client zen.spamhaus.org, reject_rbl_client truncate.gbudb.net, reject_rbl_client dnsbl.njabl.org reject_rbl_client cbl.abuseat.org reject_rbl_client bl.spamcop.net, reject_rbl_client dnsbl.sorbs.net, reject_unverified_recipient
smtpd_data_restrictions = permit_mynetworks, reject_multi_recipient_bounce
smtpd_use_tls = yes smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos