[CentOS] Antispam with Postfix

Tue Sep 29 03:21:43 UTC 2009
Christopher Chan <christopher.chan at bradbury.edu.hk>

Joseph L. Casale wrote:
>> Postfix can handle that. You can have multiple lookup tables/maps. They
>> do not even have to be the same type of database.
>>     
>
> I guess I can leave that part upto Postfix, but I still need a antispam
> addin...
>   
spamassassin via spamass-milter. Fast, no complicated smtp 
proxy/multiple queue setup needed and not as resource intensive as some 
other solutions.


> I asked on the Postfix list a while ago whether multiple LDAP server lookups
> could be configured and received no response. I assumed no one had done it.
> I'll just have to reserve some time to actually try it!
>   
:-D

I have not bothered with that list in ages. You can put multiple ldap 
table lookups directives in main.cf. Each directive has its own 
configuration. If you are not going to rewrite the recipient address, 
put the domains in the 'relay_domains' list (you can put a filename here 
and put the domains in that file) and then feed the list of ldap lookups 
to 'relay_recipient_maps'.

Eg:

relay_recipient_maps = ldap:/etc/postfix/domain1.cf, 
ldap:/etc/postfix/domain2.cf
                                       ldap:/etc/postfix/domain3.cf 
(they do not need to be on one line but the continuation must be indented)

Each domainX.cf should have a 'domain' parameter to prevent unnecessary 
queries. Eg: domain1.cf should have a domain = domain1 entry.
Ldap configuration file information:
http://www.postfix.org/ldap_table.5.html
>   
>> Like others have already said, lose it or fix it.
>>     
>
> Well, therein lies my trouble. With the poor support around my current product
> I can't fix it (Don't know how). I had to loosen up the primary so it would stop
> rejecting good mail from the secondary, it's nothing short of a proper mess, I
> know. Hence the look for alternatives....
>
>   
Your secondary should have the same filtering setup. Also, a queueing 
secondary is absolutely useless. Just let the mails queue at their 
original servers. If they bounce due to stringent rules (one hour delay 
and boom! that's it) then let them. Better that they know the mail has 
not gone through than to think it has and wonder why there has been no 
reply for the next two/three days. People have this 'instant' concept 
about email. I would not bother with a 'secondary' anymore.


>> postfix + spamass-milter will do it.
>>     
>
> I'll give a second look at sa, I haven't looked at it in a while (years) but remember
> it being rather indepth.
>
>   


Yeah, if you need to some tweaking of rules.