I am used to sendmail and am using Postfix now and am uncertain of some features. I typically would comment out the line in sendmail.mc that went something like 'accept unresolvable domains'
I tried using
smtpd_sender_restrictions = reject_unverified_sender reject_unverified_smtp
and this seems a bit too restrictive and got some bounces on legitimate senders
so I'm thinking that this is perhaps a bit more apropos...
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname
does this make sense?
Craig
Personally, I reject mail from any server with broken DNS. It's extremely low hanging fruit to avoid a lot of spam from zombie PCs in Asia/Eastern Europe. You also might want to consider using the various freely available RBL sites to eliminate known naughty hosts/networks. After mail runs this gauntlet, I pass it through CRM114 and have reduced the spam that makes it to my mailbox to a couple of messages a week.
Here's the relevant lines from my postfix config:
maps_rbl_reject_code = 571 smtpd_helo_required = yes smtpd_delay_reject = no allow_untrusted_routing = no disable_vrfy_command = yes # maps_rbl_domains = relays.ordb.org, opm.blitzed.org, list.dsbl.org, sbl.spamhaus.org, cbl.abuseat.org, dul.dnsbl.sorbs.net
smtpd_recipient_restrictions = reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, permit_mynetworks, reject_unauth_destination, reject_maps_rbl, permit
smtpd_data_restrictions = reject_unauth_pipelining, permit
stale_lock_time = 120 default_rbl_reply = $rbl_code Service denied; blocked
Good luck,
C
Craig White wrote:
I am used to sendmail and am using Postfix now and am uncertain of some features. I typically would comment out the line in sendmail.mc that went something like 'accept unresolvable domains'
I tried using
smtpd_sender_restrictions = reject_unverified_sender reject_unverified_smtp
and this seems a bit too restrictive and got some bounces on legitimate senders
so I'm thinking that this is perhaps a bit more apropos...
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname
does this make sense?
On Fri, 2005-04-01 at 16:26 -0500, Chris Mauritz wrote:
Personally, I reject mail from any server with broken DNS. It's extremely low hanging fruit to avoid a lot of spam from zombie PCs in Asia/Eastern Europe. You also might want to consider using the various freely available RBL sites to eliminate known naughty hosts/networks. After mail runs this gauntlet, I pass it through CRM114 and have reduced the spam that makes it to my mailbox to a couple of messages a week.
Here's the relevant lines from my postfix config:
maps_rbl_reject_code = 571 smtpd_helo_required = yes smtpd_delay_reject = no allow_untrusted_routing = no disable_vrfy_command = yes # maps_rbl_domains = relays.ordb.org, opm.blitzed.org, list.dsbl.org, sbl.spamhaus.org, cbl.abuseat.org, dul.dnsbl.sorbs.net
smtpd_recipient_restrictions = reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, permit_mynetworks, reject_unauth_destination, reject_maps_rbl, permit
smtpd_data_restrictions = reject_unauth_pipelining, permit
stale_lock_time = 120 default_rbl_reply = $rbl_code Service denied; blocked
---- wow - that's a pretty impressive list - curiously, no smtpd_helo_restrictions but I am gathering that you figure that the smtpd restrictions would cover that.
Is the above suitable for an office mail server or is this for one person who is less concerned about fringe stuff that may get rejected?
Craig
Craig White wrote:
wow - that's a pretty impressive list - curiously, no smtpd_helo_restrictions but I am gathering that you figure that the smtpd restrictions would cover that.
Is the above suitable for an office mail server or is this for one person who is less concerned about fringe stuff that may get rejected?
That IS our corporate server config and nobody has bitched (knock on wood) to date about real mail getting dropped on the floor.
There are also some wonderful FAQs on the postfix.org website if you have any questions about what any of the above directives does.
I ignore the helo restrictions since, as you note, the smptd_restrictions handles the heavy lifting.
Best regards,
C
On Fri, 2005-04-01 at 16:39 -0500, Chris Mauritz wrote:
Craig White wrote:
wow - that's a pretty impressive list - curiously, no smtpd_helo_restrictions but I am gathering that you figure that the smtpd restrictions would cover that.
Is the above suitable for an office mail server or is this for one person who is less concerned about fringe stuff that may get rejected?
That IS our corporate server config and nobody has bitched (knock on wood) to date about real mail getting dropped on the floor.
There are also some wonderful FAQs on the postfix.org website if you have any questions about what any of the above directives does.
I ignore the helo restrictions since, as you note, the smptd_restrictions handles the heavy lifting.
---- Thanks for the input - I'm sure it's very valuable and yes, I do plan to review the implications and not just blindly implement them.
I have been going through the documentation at http://www.postfix.org/postconf.5.html
which is where I got the things that I was playing with
Thanks again
Craig
Craig White wrote:
On Fri, 2005-04-01 at 16:26 -0500, Chris Mauritz wrote:
Personally, I reject mail from any server with broken DNS. It's extremely low hanging fruit to avoid a lot of spam from zombie PCs in Asia/Eastern Europe.
[snip]
Is the above suitable for an office mail server or is this for one person who is less concerned about fringe stuff that may get rejected?
I run an "office" mail server and my boss would kill me if we bounced a message just because the client is using a brain dead ISP. So our approach is a little different in that we accept a lot of mail and I spend my time on tuning spamassassin.
--Ajay
Ajay Sharma wrote:
Craig White wrote:
On Fri, 2005-04-01 at 16:26 -0500, Chris Mauritz wrote:
Personally, I reject mail from any server with broken DNS. It's extremely low hanging fruit to avoid a lot of spam from zombie PCs in Asia/Eastern Europe.
[snip]
Is the above suitable for an office mail server or is this for one person who is less concerned about fringe stuff that may get rejected?
I run an "office" mail server and my boss would kill me if we bounced a message just because the client is using a brain dead ISP. So our approach is a little different in that we accept a lot of mail and I spend my time on tuning spamassassin.
Wow, then I guess I am lucky to have a boss that doesn't ask me to do foolish things or waste my time. 8-)
You can tune a spam filter til the cows come home, but I just think it's idiotic to accept mail from any server where the admin isn't on the ball enough to even properly set up the DNS. And if it's the ISP's fault, then that admin should pick a non-braindead ISP.
And the honourary Don Quixote award goes to......
Cheers,
C
On Fri, 2005-04-01 at 17:10 -0500, Chris Mauritz wrote:
Ajay Sharma wrote:
Craig White wrote:
On Fri, 2005-04-01 at 16:26 -0500, Chris Mauritz wrote:
Personally, I reject mail from any server with broken DNS. It's extremely low hanging fruit to avoid a lot of spam from zombie PCs in Asia/Eastern Europe.
[snip]
Is the above suitable for an office mail server or is this for one person who is less concerned about fringe stuff that may get rejected?
I run an "office" mail server and my boss would kill me if we bounced a message just because the client is using a brain dead ISP. So our approach is a little different in that we accept a lot of mail and I spend my time on tuning spamassassin.
Wow, then I guess I am lucky to have a boss that doesn't ask me to do foolish things or waste my time. 8-)
You can tune a spam filter til the cows come home, but I just think it's idiotic to accept mail from any server where the admin isn't on the ball enough to even properly set up the DNS. And if it's the ISP's fault, then that admin should pick a non-braindead ISP.
---- seems to me that if AOL refuses to accept email from a mail server that doesn't reverse resolve in dns, then the die is already cast and they need to fix and then of course, why should I operate a mail server that does accept it?
Craig
Ajay Sharma wrote:
I run an "office" mail server and my boss would kill me if we bounced a message just because the client is using a brain dead ISP. So our approach is a little different in that we accept a lot of mail and I spend my time on tuning spamassassin.
Same here. We cannot going on rejecting every server that don't reverse I'ts not that I would like to but the truth is MANY companies have them.
regards,
--RNuno
On Fri, 2005-04-01 at 16:26 -0500, Chris Mauritz wrote:
Personally, I reject mail from any server with broken DNS. It's extremely low hanging fruit to avoid a lot of spam from zombie PCs in Asia/Eastern Europe. You also might want to consider using the various freely available RBL sites to eliminate known naughty hosts/networks. After mail runs this gauntlet, I pass it through CRM114 and have reduced the spam that makes it to my mailbox to a couple of messages a week.
Here's the relevant lines from my postfix config:
maps_rbl_reject_code = 571 smtpd_helo_required = yes smtpd_delay_reject = no allow_untrusted_routing = no disable_vrfy_command = yes # maps_rbl_domains = relays.ordb.org, opm.blitzed.org, list.dsbl.org, sbl.spamhaus.org, cbl.abuseat.org, dul.dnsbl.sorbs.net
smtpd_recipient_restrictions = reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, permit_mynetworks, reject_unauth_destination, reject_maps_rbl, permit
smtpd_data_restrictions = reject_unauth_pipelining, permit
stale_lock_time = 120 default_rbl_reply = $rbl_code Service denied; blocked
---- an fyi - postfix 2.2.1
warning: support for restriction "reject_maps_rbl" will be removed from Postfix; use "reject_rbl_client domain-name" instead
is logged in /var/log/maillog
and http://www.postfix.org/spam.html#maps_rbl_domains
says nothing about this change
Craig
Craig White wrote:
an fyi - postfix 2.2.1
warning: support for restriction "reject_maps_rbl" will be removed from Postfix; use "reject_rbl_client domain-name" instead
is logged in /var/log/maillog
and http://www.postfix.org/spam.html#maps_rbl_domains
says nothing about this change
Yeah, that's why I still use 2.0.16. 8-)
I'm too lazy to update my config file. ;)
Cheers,
C
On Fri, 2005-04-01 at 19:35 -0500, Chris Mauritz wrote:
Craig White wrote:
an fyi - postfix 2.2.1
warning: support for restriction "reject_maps_rbl" will be removed from Postfix; use "reject_rbl_client domain-name" instead
is logged in /var/log/maillog
and http://www.postfix.org/spam.html#maps_rbl_domains
says nothing about this change
Yeah, that's why I still use 2.0.16. 8-)
I'm too lazy to update my config file. ;)
---- Since Alexandre isn't switching from sendmail to postfix, I needed someone else to draft behind - I was counting on you ;-)
It 'seems' to still work - just leaves me it's little warnings in the log files.
Craig
-
Ajay Sharma -
Chris Mauritz -
Craig White -
RNuno