On Mon, 2012-03-12 at 23:15 +0100, Patrick Lists wrote:
On 12-03-12 22:12, Bob Hoffman wrote: [snip]
Not sure if this setup is perfect, but it is working quite well. Yes, the mail takes a few seconds longer and there is probably more I could do, but this ROCKS!!!
Totally agree. I'm definitely not a postfix expert but below I have listed some rules I have in my config.
smtpd_delay_reject = yes smtpd_helo_required = yes
I also have: disable_vrfy_command = yes strict_rfc821_envelopes = yes
smtpd_client_restrictions = permit_mynetworks,permit
In smtpd_client_restrictions I have:
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_reverse_client_hostname, check_client_access pcre:/etc/postfix/dynamic_ip_client_block, reject_rbl_client bl.spameatingmonkey.net, reject_rhsbl_sender uribl.spameatingmonkey.net, reject_rhsbl_client uribl.spameatingmonkey.net, reject_rhsbl_sender urired.spameatingmonkey.net, reject_rhsbl_client urired.spameatingmonkey.net, reject_rbl_client zen.spamhaus.org
The dynamic IP client list is quite effective. You can get the file: wget -v http://www.hardwarefreak.com/fqrdns.pcre
smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, permit
smtpd_sender_restrictions = permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit
In smtpd_sender_restrictions I also use
reject_rhsbl_sender fresh15.spameatingmonkey.net
smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_invalid_hostname, reject_unauth_pipelining, reject_rbl_client zen.spamhaus.org, reject_rbl_client truncate.gbudb.net, reject_rbl_client dnsbl.njabl.org reject_rbl_client cbl.abuseat.org reject_rbl_client bl.spamcop.net, reject_rbl_client dnsbl.sorbs.net, sleep 1, permit
smtpd_data_restrictions = permit_mynetworks, reject_multi_recipient_bounce, permit
Not sure if these rules are correct. I only have
smtpd_data_restrictions = reject_unauth_pipelining
On my CentOS 5 box I don't user "permit" at all.
Regards, Patrick _______________________________________________
I'm going to chuck in my 2 cents worth here, as I've been using Postfix as a first-line filter for some years now.
All of the above suggestions are very useful. The only point that I haven't seen in this thread is that mail server/filter configs are extremely user-dependent. I started out with some of the more restrictive options discussed here, but I had to relax a few of them for the client involved. It seems that they were doing business with some folks ( both customers and suppliers ) who were using poorly-configured mail servers, and some of the options given above can cause "legitimate" traffic from such poorly-configured servers to be rejected.
In short, like you should do for any application, do the appropriate research so that you UNDERSTAND what the recommended options are doing for you ( or TO you ) and tailor your selection(s) to meet YOUR specific needs. In the case of using Postfix to filter mail to reduce the inbound spam to an old, feature-poor mail server, it took some research and some experimenting with different recommendations to achieve the solution that met the needs of a particular user community.
Like I said, this is just my $0.02 (US) worth. Enjoy. ;^>