[CentOS] postfix and spam, I am impressed[Solution that works]
Bob Hoffman
bob at bobhoffman.com
Tue Mar 13 11:21:41 UTC 2012
*Nataraj*
/Tue Mar 13 02:01:36 EDT 2012/ wrote:
>On 03/12/2012 10:06 PM, Nataraj wrote:
>>/ On 03/12/2012 09:08 PM, Ron Loftin wrote:
/>>>/ I'm going to chuck in my 2 cents worth here, as I've been using Postfix
/>>>/ as a first-line filter for some years now.
//
/>pbl.spamhaus.org (dynamic IP address RBL) is generally quite safe for
>most sites to use from postfix. The rest of the spamhaus RBL's such as
>the combination that you get from zen.spamhaus.org are mostly safe
>(better than all others that I've tried), but not 100%. Most others
>that I've tried I have gotten a fair number of false positives over time
>(This includes dul.dnsbl.sorbs.net, the sorbs dynamic IP RBL). Many
>people feel that most other RBL's need to be used with a scoring
>mechanism, such as that provided by spamassasin, instead of directly
>from postfix to avoid getting too many false positives.
>Nataraj
I changed it a bit since then. I found that sleep 1, when talking to my other VM that had
sleep 1, caused one mail to just get lost, so I dropped it.
My brother travels a lot and I found the client restrictions would not allow him
to send mail since the wi-fi he would connect to was not figured correctly causing
100% mail send failure. So I left client restrictions empty, but I force ssl and user auth
only anyway.
for the rbl lists I tried to pick those that had a notice page and a remove page.
This way a blocked user can try to figure out why.
Here is a bit from my logwatch, with 8 hours of non blocked spam and 16 hours since blocking it
6098 rejected, 429 accepted (most of those 429 were before the change)
Since 12 noon yesterday I have received 17 junk mails, all but two tagged by spamasassin.
BIG DIFFERENCE.
Below is the logwatch section, followed by my final set up (at least so far).
1.062M Bytes accepted 1,113,084
1007.732K Bytes delivered 1,031,918
======== ================================================
429 Accepted 6.57%
6098 Rejected 93.43%
-------- ------------------------------------------------
6527 Total 100.00%
======== ================================================
4 Reject relay denied 0.07%
340 Reject HELO/EHLO 5.58%
1749 Reject unknown user 28.68%
1 Reject recipient address 0.02%
3 Reject sender address 0.05%
4001 Reject RBL 65.61%
-------- ------------------------------------------------
6098 Total Rejects 100.00%
======== ================================================
8 4xx Reject relay denied 0.84%
318 4xx Reject HELO/EHLO 33.23%
39 4xx Reject unknown user 4.08%
81 4xx Reject recipient address 8.46%
511 4xx Reject sender address 53.40%
-------- ------------------------------------------------
957 Total 4xx Rejects 100.00%
======== ================================================
3534 Connections made
419 Connections lost
3533 Disconnections
429 Removed from queue
137 Delivered
10 Sent via SMTP
1 Bounce (remote)
1 DSNs undeliverable
22 Connection failure (outbound)
23 Timeout (inbound)
1 RBL lookup error
35 Excessive errors in SMTP commands dialog
802 Hostname verification errors
89 Address is deliverable (sendmail -bv)
194 Address is undeliverable (sendmail -bv)
4 Enabled PIX workaround
9 SASL authenticated messages
7 Postfix start
7 Postfix stop
4 Postfix refresh
# for SMTP-Auth settings
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_client_restrictions = permit_mynetworks
smtpd_helo_restrictions =
permit_mynetworks,
reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname
smtpd_sender_restrictions =
permit_mynetworks,
reject_non_fqdn_sender,
reject_unknown_sender_domain
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_unauth_pipelining,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_invalid_hostname,
reject_unknown_hostname,
reject_non_fqdn_hostname
reject_rbl_client zen.spamhaus.org,
reject_rbl_client truncate.gbudb.net,
reject_rbl_client dnsbl.njabl.org
reject_rbl_client cbl.abuseat.org
reject_rbl_client bl.spamcop.net,
reject_rbl_client dnsbl.sorbs.net,
reject_unverified_recipient
smtpd_data_restrictions =
permit_mynetworks,
reject_multi_recipient_bounce
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem
smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem
More information about the CentOS
mailing list