[CentOS] question for those who run mail servers

Thu May 31 19:41:55 UTC 2012
Nataraj <incoming-centos at rjl.com>

On 05/31/2012 10:35 AM, Craig White wrote:
> On May 31, 2012, at 6:09 AM, Bob Hoffman wrote:
>
>> Not technically a centos question, but a lot of you guys seem to manage 
>> some large systems
>> and I could use some clarification on a postfix setting.*
>>
>> *reject_unknown_client_hostname
>> (in postfix < 2.3 reject_unknown_client)
>>
>> When I first used this there were issues with users trying to send mail 
>> through the server
>> from hotels, wireless spots, etc. This was solved by pushing up permit 
>> sasl_authenticated.
>>
>> I took it out after those issues. I read many online posts from 2008 
>> saying too many
>> false positives. (though none were clear if those were incoming mail or 
>> from mail users)
>>
>> Do you use reject_unknown_client_hostname?
>>
>> Other than someone trying to access the server to send mail through it 
>> as a user I do
>> not see how this could be a bad setting and am thinking of using it.
>> A person sending out a mail to the server, even if in that badly set up 
>> hotel wireless
>> should be using their gmail, yahoo, own server, isp mail servers and 
>> should not
>> be directly sending from their iphone....is that correct?
>>
>> or do you ignore the use of this setting still?
>>
>> -thanks for any updates on the use of this setting.
> ----
> if the goal is to minimize spam then this is a really good option as it duplicates methodologies employed by a lot of the large e-mail providers (ie, AOL) which require both the forward and reverse addresses to resolve.
>
> Requiring someone to authenticate to a known SMTP host is reasonable and prudent - and I would agree that the senders should be using a registered SPF (sender permitted from) SMTP host for forwarding their outgoing e-mails.
>
> Craig
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos

Yes, I second this.  No legitimate mail users today expect to send email
directly from a mobile device or even a home broadband connection.  Any
mail server that allows incoming email directly from end users is going
to get bombarded with spam.  In recent years, most mailserver
administrators know that they have to setup proper DNS as well. 
Disallowing mailservers without proper DNS stops massive amounts of
spam, and lately I hardly ever have to add exceptions for this anymore.
  I run a mail server for a good number of users and I run with this:


This one is very reliable and will reject a good many broadband/dialup
connections
Under smtpd_client_restrictions:
        reject_rbl_client pbl.spamhaus.org

        reject_unknown_client_hostname
unknown_client_reject_code = 550

I just don't get alot of complaints from users anymore, running with
these.  This will of coarse depend heavily on your user base and who
they exchange email with.

You might also look at postscreen.  I've heard really good things about
it, though I haven't had time to set it up yet.

Nataraj