Re: Review / Recommend My Main.CF?

From: mouss (no email)
Date: Thu Apr 10 2008 - 18:49:21 EDT

  • Next message: Rocco Scappatura: "RE: SMTP question"

    Carlos Williams wrote:
    > I recently posted on here an extreme losing battle I had with SPAM. Well it
    > turned out I was a huge open relay for SPAM from all over the world. I had a
    > friend swing by and look at my main.cf and he recommended I do some massive
    > cleanup on my main.cf. Since the changes were made, we have had a 98%
    > reduction in SPAM. It is crazy how much faster our email server is when the
    > entire world was not relaying to it...
    >
    > This being said, I am still not using Spamassassin or anything but RBL in my
    > main.cf. I am still getting a few SPAM messages but nowhere near what we had
    > 2 weeks ago since I last posted here.
    >
    > I am now just wondering if anyone sees anything else from my main.cf that
    > can be improved upon or perhaps you see something that just does not make
    > sense. I am reading The Book of Postfix and it recommends a lot of great
    > stuff but I am only a few chapters deep.
    >
    > Anyways - for anyone who does not mind spreading some useful suggestions to
    > a newbie Postfix admin, this would be greatly appreciated!
    >
    > **MAIN.CF**
    >

    I guess this is the output of 'postconf -n'.

    > [snip]
    > mydestination = $myhostname, $mydomain, localhost.$mydomain, localhost
    > mydomain = mydomain.org
    >

    next time, use example.com, example.org, example.net, anything.example
    as example domains. This is the standard and makes things clear.... and
    avoids hijacking "normal" domains. try
    % whois mydomain.org

    > myhostname = mail.mydomain.org
    > [snip]
    > relay_domains = $mydestination, domain.net, domain.com, sonething.org
    >

    - remove $mydestination from relay_domains.
    - also set
    parent_domain_matches_subdomains =
    to avoid relaying for any *.domain.com... See
        http://www.postfix.org/postconf.5.html#parent_domain_matches_subdomains

    - set relay_recipient_maps to enable recipient validation for relay
    recipients. if you can't (please try hard!), then you'll have to use
    address verification (reject_unverified_recipient). See
        http://www.postfix.org/BACKSCATTER_README.html

    > [snip]
    > smtpd_client_restrictions =
    > permit_mynetworks,
    > reject_rbl_client bl.spamcop.net,
    > reject_rbl_client zen.spamhaus.org,
    > reject_rbl_client safe.dnsbl.sorbs.net,
    > reject_rbl_client cbl.abuseat.org,
    > reject_rbl_client list.dsbl.org
    > smtpd_data_restrictions = reject_multi_recipient_bounce
    >

    you can add
        reject_unauth_pipelining

    cbl is included in xbl thus zen, so you can remove it. I would put zen
    before spamcop.

    > [snip]
    > smtpd_helo_restrictions =
    > permit_mynetworks,
    > reject_invalid_hostname,
    > reject_non_fqdn_hostname,
    > reject_rbl_client bl.spamcop.net,
    > reject_rbl_client zen.spamhaus.org,
    > reject_rbl_client safe.dnsbl.sorbs.net,
    > reject_rbl_client cbl.abuseat.org,
    > reject_rbl_client list.dsbl.org regexp:/etc/postfix/helo.regexp,
    >

    it is recommended to specify the check_*_access before maps. so use
        check_helo_acces regexp:/etc/postfix/helo.regexp
    instead. This is more readable and can avoid problems if you move checks
    between restrictions.

    > permit
    > smtpd_recipient_restrictions =
    > permit_sasl_authenticated,
    > permit_mynetworks,
    > reject_unauth_destination
    > smtpd_reject_unlisted_recipient = yes
    > smtpd_sasl_auth_enable = yes
    > smtpd_sasl_security_options = noanonymous
    > smtpd_sender_restrictions =
    > permit_mynetworks,
    > check_sender_access hash:/etc/postfix/access,
    > hash:/etc/postfix/sender_restrictions,
    > hash:/etc/postfix/siteoverride,
    >

    again, add check_sender_access to the two last maps.

    > reject_unknown_address,
    >
    what's this?

    > reject_unknown_sender_domain,
    > reject_non_fqdn_sender,
    >

    I would put this one a lot sooner. it's very cheap. put it before the
    reject_rbl_client checks. add reject_non_fqdn_recipient as well.
       

    > [snip]
    >
    >


  • Next message: Rocco Scappatura: "RE: SMTP question"





    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs



    Powered By FreeBSD   Powered By FreeBSD