[CentOS] postfix tightening

Sat Apr 2 00:20:02 UTC 2005
Craig White <craigwhite at azapple.com>

On Fri, 2005-04-01 at 16:26 -0500, Chris Mauritz wrote:
> Personally, I reject mail from any server with broken DNS.  It's 
> extremely low hanging fruit to avoid a lot of spam from zombie PCs in 
> Asia/Eastern Europe.  You also might want to consider using the various 
> freely available RBL sites to eliminate known naughty hosts/networks.  
> After mail runs this gauntlet, I pass it through CRM114 and have reduced 
> the spam that makes it to my mailbox to a couple of messages a week. 
> 
> Here's the relevant lines from my postfix config:
> 
> maps_rbl_reject_code = 571
> smtpd_helo_required = yes
> smtpd_delay_reject = no
> allow_untrusted_routing = no
> disable_vrfy_command = yes
> #
> maps_rbl_domains =
>         relays.ordb.org,
>         opm.blitzed.org,
>         list.dsbl.org,
>         sbl.spamhaus.org,
>         cbl.abuseat.org,
>         dul.dnsbl.sorbs.net
> 
> smtpd_recipient_restrictions =
>         reject_invalid_hostname,
>         reject_non_fqdn_hostname,
>         reject_non_fqdn_sender,
>         reject_non_fqdn_recipient,
>         reject_unknown_sender_domain,
>         reject_unknown_recipient_domain,
>         permit_mynetworks,
>         reject_unauth_destination,
>         reject_maps_rbl,
>         permit
> 
> smtpd_data_restrictions =
>         reject_unauth_pipelining,
>         permit
> 
> stale_lock_time = 120
> default_rbl_reply = $rbl_code Service denied; blocked
----
an fyi - postfix 2.2.1

warning: support for restriction "reject_maps_rbl" will be removed from
Postfix; use "reject_rbl_client domain-name" instead

is logged in /var/log/maillog

and http://www.postfix.org/spam.html#maps_rbl_domains

says nothing about this change

Craig