|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: reject_non_fqdn_hostname
From: Daniel L. Miller (dmiller
amfes.com)
Date: Mon Oct 03 2005 - 14:49:07 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mariano Cunietti wrote:
>Hi,
>after reading the Postfix book (terrific book!), I successfully set up
>my mail hubs with brand new smtpd_restrictions.
>Here they are:
>
>smtpd_helo_required = yes
>
>smtpd_client_restrictions =
> reject_rbl_client sbl-xbl.spamhaus.org
> reject_rbl_client http.dnsbl.sorbs.net
> reject_rbl_client dul.dnsbl.sorbs.net
>
>smtpd_sender_restrictions =
> check_sender_access hash:/etc/postfix/sender_access
>
>smtpd_recipient_restrictions =
> reject_non_fqdn_recipient
> reject_non_fqdn_sender
> reject_unknown_sender_domain
> reject_unknown_recipient_domain
> permit_mynetworks
> reject_unauth_destination
> check_recipient_access hash:/etc/postfix/roleaccount_exceptions
> reject_multi_recipient_bounce
> reject_non_fqdn_hostname
> reject_invalid_hostname
> check_recipient_access hash:/etc/postfix/recipient_access
> permit
>
>
>
Here's a snip from mine. I'm sure it's overkill - and for a really
high-traffic site some of these lookups would have to be modified - but
now it's a mere trickle that ever reaches my spam filters.
About the only restriction that ever causes me a problem now is the
greylisting - so when I hear a complaint I tell them to just send
again. I have a 5-second delay setup for my greylist - which lets valid
e-mail through quickly and blocks the majority of the crap.
The lines that have warn_if_reject I sometimes turn on - but they
usually lead to problems with valid e-mail from broken servers. And
while some of these are from smaller companies - some of these
restrictions have caught the guys who ought to have competent IT staff:
Adaptec, Seagate, etc. I still try to call some of these people once in
a while to help them configure their mail servers properly - though it's
usually a waste of my time.
strict_rfc821_envelopes = yes
smtpd_helo_required = yes
smtpd_client_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
check_client_access hash:/etc/postfix/maps/whitelisted_domains,
reject_unauth_pipelining,
reject_rhsbl_client tqmcube.blocked.rbl,
reject_rbl_client relays.ordb.org,
reject_rbl_client sbl-xbl.spamhaus.org,
reject_rbl_client dnsbl.sorbs.net,
reject_rbl_client bl.spamcop.net,
reject_rhsbl_client rhsbl.ahbl.org,
reject_rhsbl_client dns.rfc-ignorant.org,
# A lot of people don't have valid reverse IP
warn_if_reject reject_unknown_client
smtpd_helo_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_pipelining,
check_helo_access hash:/etc/postfix/maps/bonehead_helo,
warn_if_reject reject_unknown_hostname,
warn_if_reject reject_non_fqdn_hostname,
warn_if_reject reject_invalid_hostname,
check_helo_access hash:/etc/postfix/maps/verify_helo,
permit
smtpd_sender_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
check_sender_access hash:/etc/postfix/maps/whitelisted_senders,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
check_sender_access hash:/etc/postfix/access,
check_sender_access hash:/etc/postfix/maps/verify_domain,
check_sender_access hash:/etc/postfix/maps/verify_sender,
reject_rhsbl_sender tqmcube.blocked.rbl,
warn_if_reject reject_unverified_sender,
permit
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
check_recipient_access hash:/etc/postfix/maps/whitelisted_domains,
reject_invalid_hostname,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_unverified_recipient,
reject_unauth_destination,
reject_rbl_client relays.ordb.org,
reject_rbl_client sbl-xbl.spamhaus.org,
reject_rbl_client dnsbl.sorbs.net,
reject_rbl_client bl.spamcop.net,
check_policy_service inet:127.0.0.1:60000,
permit
smtpd_data_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_pipelining
disable_vrfy_command = yes
--
Daniel
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]