On 03/12/2012 09:08 PM, Ron Loftin wrote:
I'm going to chuck in my 2 cents worth here, as I've been using Postfix as a first-line filter for some years now.
All of the above suggestions are very useful. The only point that I haven't seen in this thread is that mail server/filter configs are extremely user-dependent. I started out with some of the more restrictive options discussed here, but I had to relax a few of them for the client involved. It seems that they were doing business with some folks ( both customers and suppliers ) who were using poorly-configured mail servers, and some of the options given above can cause "legitimate" traffic from such poorly-configured servers to be rejected.
In short, like you should do for any application, do the appropriate research so that you UNDERSTAND what the recommended options are doing for you ( or TO you ) and tailor your selection(s) to meet YOUR specific needs. In the case of using Postfix to filter mail to reduce the inbound spam to an old, feature-poor mail server, it took some research and some experimenting with different recommendations to achieve the solution that met the needs of a particular user community.
Like I said, this is just my $0.02 (US) worth. Enjoy. ;^>
Yes, this is very much true. It takes a bit of tuning to find the right settings for each mail environment. Turn things up too high and your phone will ring off the hook with user complaints about rejecting mail that they want to receive. Fortunately you can define multiple smtpd_restriction_classes and apply different policies by matching on who the recipient, sender, client domain etc is. An example would be:
NOTE THIS example is hypothetical, I don't suggest that anyone try to use my extra_restrictive class on a production system without testing.
smtpd_restriction_classes = extra_restrictive, restrictive, permissive
extra_restrictive = reject_rbl_client dul.dnsbl.sorbs.net reject_rbl_client zen.spamhaus.org reject_rbl_client bl.spamcop.net reject_rbl_client hostkarma.junkemailfilter.com =127.0.0.2 reject_rbl_client dnsbl.sorbs.net reject_rhsbl_sender whois.rfc-ignorant.org reject_rhsbl_sender postmaster.rfc-ignorant.org reject_rhsbl_sender abuse.rfc-ignorant.org reject_rhsbl_sender hostkarma.junkemailfilter.com=127.0.0.2 reject_rbl_client l2.apews.org
restrictive = reject_rbl_client zen.spamhaus.org reject_rbl_client bl.spamcop.net
permissive = reject_rbl_client pbl.spamhaus.org
smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks check_recipient_access proxy:pgsql:/etc/postfix/vpm_recipient_access ############################################## # NOTE: YOU MUST ALWAYS check for valid recipients before checking # for sender exceptions, otherwise anyone who passes the # sender exceptions will be allowed to use us as a relay. ############################################## check_sender_access hash:/etc/postfix/smtpd_sender_access check_recipient_access hash:/etc/postfix/smtpd_recipient_access check_policy_service unix:private/vpm-pfpolicy reject_unauth_destination
Then is smtpd_recipient_access I have:
domain1.com restrictive abuse@domain1.com extra_restrictive postmaster@domain1.com extra_restrictive registrar_domain_contact@domain1.com extra_restrictive domain2.com permissive
Nataraj