OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: recipient restrictions: virtual mailboxes and check_policy_service interaction

From: Ion-Mihai Tetcu (itetcuFreeBSD.org)
Date: Tue Mar 04 2008 - 01:56:26 CST

On Mon, 03 Mar 2008 22:04:36 +0100
Sandy Drobic <postfix-usersjapantest.homelinux.com> wrote:

> Ion-Mihai Tetcu wrote:
> > Hi,
> >
> >
> > What I'm trying to understand is why mail for non-existent virtual
> > mailboxes is greylisted instead of rejected from the start.
>
> Because by default the recipient_map is checked at the end of
> smtpd_recipient_restrictions.

I see. I must have missed this in the docs then (or read it wrong that
smtpd_reject_unlisted_recipient is on by default and assumed it would
be checked earlier), thanks.

> You can place this check manually by inserting
> reject_unlisted_recipient into smtpd_recipient_restrictions:
>
> smtpd_recipient_restrictions =
> reject_non_fqdn_sender,
> reject_non_fqdn_recipient,
> permit_mynetworks,
> permit_sasl_authenticated,
> reject_unauth_destination,
> reject_unlisted_recipient,
> reject_invalid_helo_hostname,
> # reject_rbl_client zen.spamhaus.org
> reject_rhsbl_sender dsn.rfc-ignorant.org,
> reject_rhsbl_sender bogusmx.rfc-ignorant.org,
> check_policy_service inet:127.0.0.1:10023,
> check_client_access
> pcre:/usr/local/etc/postfix/dspamd_filter_access,
>
> I've reordered your checks a bit and removed checks without use
> (reject_unknown_recipient_domain after reject_unauth_destination will
> only reject your own domains,

Yeh, that was a leftover from the testing.

> permit_auth_destination as the last check is also unnecessary since
> that is the only possibility after reject_unauth_destination).

Memory add for me :)

> Try zen.spamhaus.org.

I'm not totally happy with spamhaus' listing/delisting policy (while I
agree they're very effective). I'm using them on major spam/viurs
outbreaks but via dspam's rbl support, in order to help lazy users. I
should probably use rokso all the time.

For myself I'm very happy with greylisting and the two rfc-ignorant
sbls plus dspam (and the stats would be much better if not for spam
received via some mailing lists and a few unprotected email aliases
which bypass greylisting).
Here are my stats since my last DB reset:

 # dspam_stats -H itetcu
itetcu:
            TP True Positives: 53519
            TN True Negatives: 285446
            FP False Positives: 15
            FN False Negatives: 2035
            SC Spam Corpusfed: 2144
            NC Nonspam Corpusfed: 28
            TL Training Left: 0
            SHR Spam Hit Rate 96.34%
            HSR Ham Strike Rate: 0.01%
            OCA Overall Accuracy: 99.40%

Thanks for the help,

--
IOnut - Un^d^dregistered ;) FreeBSD "user"
  "Intellectual Property" is nowhere near as valuable as "Intellect"