RE: Too strict?

From: MacShane, Tracy (no email)
Date: Mon Mar 16 2009 - 21:14:00 EDT

  • Next message: Henk van Oers: "Clue hit"

     

    > -----Original Message-----
    > From:
    > [mailto:] On Behalf Of Alberto Lepe
    > Sent: Monday, 16 March 2009 4:18 PM
    > To:
    > Subject: Too strict?
    >
    > Hello, and thank you in advance for your time!
    >
    > I have been setting up a mail server since more than a week
    > and after reading several posts/articles and some pages of
    > the Postfix manual, I'm a little confused about how to setup
    > the security.
    > The mail server is outside my LAN and it will be used to
    > serve some domains, with maybe 10 users per domain.
    >
    > This is my main.cf (restrictions):
    >
    > smtpd_data_restrictions = reject_unauth_pipelining
    > smtpd_recipient_restrictions =
    > reject_non_fqdn_sender,
    > reject_non_fqdn_recipient,
    > permit_mynetworks,
    > permit_sasl_authenticated,
    > # reject_unknown_sender_domain,
    > # reject_unknown_recipient_domain,
    > reject_unauth_destination,
    > reject_invalid_helo_hostname,
    > reject_unlisted_recipient,
    > reject_unlisted_sender,
    > reject_invalid_hostname,
    > # reject_non_fqdn_hostname,
    > # reject_unknown_client_hostname,
    > reject_rbl_client zen.spamhaus.org,
    > reject_rbl_client bl.spamcop.net,
    > permit
    >

    Leaving aside the other comments people have made, I have
    reject_unknown_sender_domain (AFTER reject_unauth_destination) and
    reject_non_fqdn_hostname configured. The latter check in particular
    rejects thousands of connections a day so I don't have to keep hitting
    the Zen lookups. No FPs that I've ever been made aware of.
    reject_unlisted_recipient is redundant, since it's "yes" by default (but
    no harm leaving it in).


  • Next message: Henk van Oers: "Clue hit"





    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs



    Powered By FreeBSD   Powered By FreeBSD