 |
| Prev-20 | Home | Next-20 |
| Prev-20 | Home | Next-20 |
| Prev-Msg | Prev-Thread | Postfix-users | Jun-2007 | Next-Thread | Next-Msg |
| Subject: | Re: Spam issues |
| Group: | Postfix-users |
| From: | Sandy Drobic |
| Date: | 12 Jun 2007 |
> alias_maps = hash:/etc/aliases,hash:/var/mailman/data/aliases
> command_directory = /usr/sbin config_directory = /etc/postfix
> content_filter = smtp-amavis:[ 127.0.0.1 <http://127.0.0.1>]:10024
Better send plain text instead of html. The line above was probably
mangled by gmail?
> daemon_directory = /usr/libexec/postfix debug_peer_level = 2
> disable_vrfy_command = yes enable_server_options = yes html_directory =
> no inet_interfaces = all mail_owner = postfix mailbox_size_limit = 0
> mailbox_transport = cyrus mailq_path = /usr/bin/mailq manpage_directory
> = /usr/share/man maps_rbl_domains = message_size_limit = 10485760
> mydestination =
> $myhostname,localhost.$mydomain,localhost,other.redacted.hosts mydomain
> = redacteddomain.tld
Are these domains in $mydestination actually used? If not you should leave
mydestination empty.
> mydomain_fallback = localhost myhostname = host.redacteddomain.tld
> mynetworks_style = host newaliases_path = /usr/bin/newaliases
> owner_request_special = no queue_directory = /private/var/spool/postfix
> readme_directory = /usr/share/doc/postfix recipient_delimiter = +
> sample_directory = /usr/share/doc/postfix/examples sendmail_path =
> /usr/sbin/sendmail setgid_group = postdrop smtpd_client_restrictions =
> smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining,
> permit smtpd_enforce_tls = no smtpd_helo_required = yes
> smtpd_helo_restrictions =
> permit_sasl_authenticated,permit_mynetworks,check_helo_access
> hash:/etc/postfix/helo_access,reject_non_fqdn_hostname,reject_invalid_hostname,p ermit
>
>
> smtpd_pw_server_security_options = cram-md5,gssapi,login
> smtpd_recipient_restrictions =
> reject_invalid_hostname,reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_ unlisted_sender,
> reject_unknown_sender_domain,reject_unknown_recipient_domain,
> reject_unlisted_recipient,
permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,
> reject_rbl_client zen.spamhaus.org,reject_rbl_client list.dsbl.org ,permit
This part looks fine. Further checks depend a bit on your environment. A
safe check is to reject all clients that helo with your own IP. Usually
its also safe to reject your own hostname in helo.
Do you already have such a check in helo_access?
Another mostly safe check is to reject all sender domains with have an mx
with a private ip like 10.0.0.0/8 or 127.0.0.0/8.
You could also benefit a lot from policyservers for greylisting or
policyd-weight to evaluate the spamminess of a connecting client.
> smtpd_sasl_auth_enable =
> yes smtpd_tls_CAfile =
> /etc/certificates/secure.redacteddomain.tld.chcrt smtpd_tls_cert_file =
> /etc/certificates/secure.redacteddomain.tld.crt smtpd_tls_key_file =
> /etc/certificates/secure.redacteddomain.tld.key smtpd_use_pw_server =
> yes smtpd_use_tls = yes unknown_local_recipient_reject_code = 550
> virtual_alias_maps = hash:/etc/postfix/virtual_alias
> virtual_mailbox_domains = hash:/etc/postfix/virtual_domains
Here you seem to have a missing virtual_mailbox_maps for recipient
validation.
Also check your virtual_alias_maps for wildcard aliases, that would
destroy recipient validation as well.
> virtual_transport = lmtp:unix:/var/imap/socket/lmtp
Apart from that your setup looks okay. Concentrate first to reject as many
spam clients as you can safely reject, then try to raise the detection
rate of SA.
Greylisting and policyd-weight would reject a lot of the spam in a safe
way with little effort for implementation.
It is difficult to help any more specific when you don't know what domains
are suffering from spam. You could post at least the headers of a spam
mail that you think should be rejected right away.
--
Sandy
List replies only please!
Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com
| Prev-Msg | Prev-Thread | Postfix-users | Jun-2007 | Next-Thread | Next-Msg |