Am 26.11.2010 19:48, schrieb Mike Fedyk:
On Tue, Nov 16, 2010 at 11:49 AM, Rob Kampen rkampen@kampensonline.com wrote:
Hi list, I have noted over the last week or so my DNS servers are dumping lots of messages for bogus domain lookups. Examining the postfix queue with postqueue -p: I see many (Host or domain name not found. Name service error for name=bdgiedjhea.po6e4ina.com type=MX: Host not found, try again) Jake@bdgiedjhea.po6e4ina.com My question - why does this stay in the message queue - why not dumped back with message undeliverable or dropped? I understand this is probably related to my config - which follows: <main.cf>
Here's what you want (copied from my config):
Not really - because the shown part of the Postfix config is doubtful.
maps_rbl_reject_code = 450 non_fqdn_reject_code = 450
Why a temporary DSN? You want those to come back again and again and again ...?
smtpd_delay_reject = yes
Running the default of a delayed reject, why then splitting up the smtpd_*_restrictions causing plenty of tests to be run more than 1 time?
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_unauth_pipelining permit_sasl_authenticated permit_mynetworks reject_invalid_hostname reject_non_fqdn_hostname
Can lead to a lot of rejects for legitimate senders.
reject_unknown_helo_hostname permitsmtpd_sender_restrictions = reject_unauth_pipelining reject_non_fqdn_sender reject_non_fqdn_recipient
Again in smptd_recipient_restrictions.
reject_unknown_recipient_domain
Again in smptd_recipient_restrictions.
reject_unknown_sender_domain permitsmtpd_client_restrictions = # sleep 1 reject_unauth_pipelining permit_sasl_authenticated permit_mynetworks reject_unknown_client_hostname permit
smtpd_recipient_restrictions = reject_unauth_pipelining reject_non_fqdn_recipient reject_unknown_recipient_domain permit_mynetworks permit_sasl_authenticated reject_unauth_destination #fully automated RBLs
Much too much RBLs, really.
reject_rbl_client truncate.gbudb.net reject_rbl_client dnsbl.proxybl.org reject_rbl_client psbl.surriel.com reject_rbl_client db.wpbl.info reject_rbl_client bl.spamcop.net
spamcop can be too aggressive.
# reject_rbl_client bl.spamcannibal.org #blocked charles reject_rbl_client intercept.datapacket.net reject_rbl_client spamtrap.drbl.drand.net # reject_rbl_client dnsbl.ahbl.org #blocked godaddy reject_rbl_client dnsbl-1.uceprotect.net reject_rbl_client bhnc.njabl.org reject_rbl_client dnsbl.njabl.org #larder RBLs with some non-automation and larger ranges of IPs # reject_rbl_client dnsbl.sorbs.net #(blocked fedora) # reject_rbl_client dnsbl-2.uceprotect.net reject_rbl_client dnsbl-3.uceprotect.net reject_rbl_client zen.spamhaus.org # reject_rbl_client # reject_rbl_client dnsbl-2.uceprotect.net, # check_policy_service unix:private/spfpolicy # check_policy_service inet:127.0.0.1:10023 permit
strict_rfc821_envelopes = yes smtpd_reject_unlisted_sender = yes
Alexander