From: mouss (moussnetoyen.net)
Date: Thu Apr 10 2008 - 17:49:21 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Carlos Williams wrote:
> I recently posted on here an extreme losing battle I had with SPAM. Well it
> turned out I was a huge open relay for SPAM from all over the world. I had a
> friend swing by and look at my main.cf and he recommended I do some massive
> cleanup on my main.cf. Since the changes were made, we have had a 98%
> reduction in SPAM. It is crazy how much faster our email server is when the
> entire world was not relaying to it...
>
> This being said, I am still not using Spamassassin or anything but RBL in my
> main.cf. I am still getting a few SPAM messages but nowhere near what we had
> 2 weeks ago since I last posted here.
>
> I am now just wondering if anyone sees anything else from my main.cf that
> can be improved upon or perhaps you see something that just does not make
> sense. I am reading The Book of Postfix and it recommends a lot of great
> stuff but I am only a few chapters deep.
>
> Anyways - for anyone who does not mind spreading some useful suggestions to
> a newbie Postfix admin, this would be greatly appreciated!
>
> **MAIN.CF**
>

I guess this is the output of 'postconf -n'.

> [snip]
> mydestination = $myhostname, $mydomain, localhost.$mydomain, localhost
> mydomain = mydomain.org
>

next time, use example.com, example.org, example.net, anything.example
as example domains. This is the standard and makes things clear.... and
avoids hijacking "normal" domains. try
% whois mydomain.org

> myhostname = mail.mydomain.org
> [snip]
> relay_domains = $mydestination, domain.net, domain.com, sonething.org
>

- remove $mydestination from relay_domains.
- also set
parent_domain_matches_subdomains =
to avoid relaying for any *.domain.com... See
    http://www.postfix.org/postconf.5.html#parent_domain_matches_subdomains

- set relay_recipient_maps to enable recipient validation for relay
recipients. if you can't (please try hard!), then you'll have to use
address verification (reject_unverified_recipient). See
    http://www.postfix.org/BACKSCATTER_README.html

> [snip]
> smtpd_client_restrictions =
> permit_mynetworks,
> reject_rbl_client bl.spamcop.net,
> reject_rbl_client zen.spamhaus.org,
> reject_rbl_client safe.dnsbl.sorbs.net,
> reject_rbl_client cbl.abuseat.org,
> reject_rbl_client list.dsbl.org
> smtpd_data_restrictions = reject_multi_recipient_bounce
>

you can add
    reject_unauth_pipelining

cbl is included in xbl thus zen, so you can remove it. I would put zen
before spamcop.

> [snip]
> smtpd_helo_restrictions =
> permit_mynetworks,
> reject_invalid_hostname,
> reject_non_fqdn_hostname,
> reject_rbl_client bl.spamcop.net,
> reject_rbl_client zen.spamhaus.org,
> reject_rbl_client safe.dnsbl.sorbs.net,
> reject_rbl_client cbl.abuseat.org,
> reject_rbl_client list.dsbl.org regexp:/etc/postfix/helo.regexp,
>

it is recommended to specify the check_*_access before maps. so use
    check_helo_acces regexp:/etc/postfix/helo.regexp
instead. This is more readable and can avoid problems if you move checks
between restrictions.

> permit
> smtpd_recipient_restrictions =
> permit_sasl_authenticated,
> permit_mynetworks,
> reject_unauth_destination
> smtpd_reject_unlisted_recipient = yes
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_security_options = noanonymous
> smtpd_sender_restrictions =
> permit_mynetworks,
> check_sender_access hash:/etc/postfix/access,
> hash:/etc/postfix/sender_restrictions,
> hash:/etc/postfix/siteoverride,
>

again, add check_sender_access to the two last maps.

> reject_unknown_address,
>
what's this?

> reject_unknown_sender_domain,
> reject_non_fqdn_sender,
>

I would put this one a lot sooner. it's very cheap. put it before the
reject_rbl_client checks. add reject_non_fqdn_recipient as well.
   

> [snip]
>
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]