From: mouss (no email)
Date: Wed Apr 25 2007 - 16:32:24 EDT
Darren Pilgrim wrote:
> I have a postfix configuration where the MTA and MSA components
> are separated (separate smtp and submission ports). Everything works,
> but now I'd like to start clamping down on what the MTA will accept.
> I already block 89-92% of spam at the door (55-70% of total traffic)
> thanks to other tricks, like client profiling and selective greylisting.
>
> About half of the spam that gets through has a local sender, so
> the task at hand is rejecting any mail where the sender is in a local
> domain. I'm using virtual mailboxes, so I want to reject mail if the
> sender domain in the virtual_mailbox_domains table. I've already done
> some testing and it looks like I can just copy the domains.mysql file
> and add a rejection result such as:
>
> result_format = REJECT Port 25 does not accept mail from local senders.
>
> the effect appears to be if the domain is local, return a REJECT
> code--exactly what I want. If I put that in sender_acl.mysql and
> replace reject_unlisted_sender in smtpd_recipient_restrictions with:
>
> check_sender_access proxy:mysql:${config_directory}/sender_acl.mysql
>
> I think it should work. Is this a sound thing to do or will doing so
> remove some additional function of reject_unlisted_sender?
>
This is ok provided you never want such mail. there are legitimate cases
where the sender is "local" in inbound mail:
- some services use the "subscriber" address as the sender
- forwarded mail (foo at local --send--> bar at remote --forward--> bar2 at local)
- telecommuters sending via their ISP
this may or may not be an issue. only you can judge.
otherwise, if you implement this, then you don't need
reject_unlisted_sender.
>
> # postconf -n
> alias_database =
> alias_maps =
> bounce_template_file = ${config_directory}/bounce.cf
> command_directory = /usr/local/sbin
> config_directory = /usr/local/etc/postfix
> daemon_directory = /usr/local/libexec/postfix
> disable_vrfy_command = yes
> fast_flush_domains =
> html_directory = no
> in_flow_delay = 0
> inet_interfaces = $myhostname
> local_recipient_maps =
> mail_owner = postfix
> mailq_path = /usr/local/bin/mailq
> manpage_directory = /usr/local/man
> message_size_limit = 104857600
> mydestination =
> mydomain = $myhostname
> myhostname = mail.example.com
> mynetworks = 127.0.0.0/8, $myhostname
> myorigin = srv.example.com
> newaliases_path = /usr/local/bin/newaliases
> parent_domain_matches_subdomains =
> proxy_read_maps =
> $virtual_alias_maps
> $virtual_mailbox_domains
> $virtual_mailbox_maps
> $transport_maps
> $smtpd_recipient_restrictions
> queue_directory = /var/spool/postfix
> readme_directory = no
> recipient_delimiter = +
> relay_domains =
> sample_directory = /usr/local/etc/postfix
> sendmail_path = /usr/local/sbin/sendmail
> setgid_group = maildrop
> smtpd_banner = $myhostname ESMTP (NO UCE)
> smtpd_data_restrictions = reject_unauth_pipelining permit
> smtpd_discard_ehlo_keywords = ETRN
> smtpd_error_sleep_time = 0
> smtpd_hard_error_limit = 5
> smtpd_helo_required = yes
> smtpd_recipient_restrictions =
> reject_non_fqdn_helo_hostname
> reject_invalid_helo_hostname
> reject_non_fqdn_sender
> reject_unlisted_sender
> reject_unknown_sender_domain
> reject_non_fqdn_recipient
> reject_unlisted_recipient
> reject_unknown_recipient_domain
> reject_unauth_destination
> check_client_access cidr:${config_directory}/bogons.cidr
> check_helo_access cidr:${config_directory}/bogons.cidr
> check_sender_mx_access cidr:${config_directory}/bogons.cidr
> check_sender_ns_access cidr:${config_directory}/bogons.cidr
> check_recipient_access hash:${config_directory}/rcpt_acl_pre
> check_sender_access hash:${config_directory}/sender_acl
> check_client_access pcre:${config_directory}/client_acl.pcre
> check_helo_access pcre:${config_directory}/helo_acl.pcre
> check_recipient_access hash:${config_directory}/rcpt_acl_post
> check_policy_service inet:127.0.0.25:10001
> reject_rbl_client zen.spamhaus.org
> reject_rhsbl_sender rhsbl.ahbl.org
> reject_rhsbl_sender dsn.rfc-ignorant.org
> permit
> smtpd_restriction_classes = greylist, suspect_client
> smtpd_sasl_auth_enable = no
> smtpd_sasl_security_options = noanonymous,noplaintext
> smtpd_sasl_tls_security_options = noanonymous
> smtpd_tls_CAfile = /usr/local/etc/sslcerts/cacert.pem
> smtpd_tls_cert_file = /usr/local/etc/sslcerts/mail.example.com.pem
> smtpd_tls_loglevel = 1
> smtpd_tls_session_cache_database =
> btree:${queue_directory}/private/smtpd_tls_session_cache
> smtpd_use_tls = no
> strict_rfc821_envelopes = yes
> transport_maps = proxy:mysql:${config_directory}/transports.mysql
> unknown_local_recipient_reject_code = 550
> virtual_alias_maps =
> hash:${config_directory}/canonical_aliases
> proxy:mysql:${config_directory}/aliases.mysql
> virtual_mailbox_domains =
> hash:${config_directory}/canonical_domains
> proxy:mysql:${config_directory}/domains.mysql
> virtual_mailbox_maps = proxy:mysql:${config_directory}/mailboxes.mysql
> # End postconf -n output
>
|
|
|