> Justin Kim wrote: ... >> MrC Wrote: >> I find that > 45% of the connections : >> >> Reject HELO/EHLO 34.84% >> Reject unknown user 12.27% >> >> can be rejected with cheap checks: >> >> reject_unlisted_recipient >> check_helo_access pcre:/etc/postfix/helo_checks.pcre >> >> before rbl checks. That would be a significant hit reduction of RBL >> checks and and messages passed to your content filter.
> > Thanks, > My postcon -n |grep reject now shows this: > > smtpd_data_restrictions = reject_unauth_pipelining > smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated > reject_unauth_destination reject_unknown_sender_domain > smtpd_reject_unlisted_recipient = yes > smtpd_reject_unlisted_sender = yes > unknown_local_recipient_reject_code = 550 > > I don't know how to put check_helo_access This really belongs on the postfix list... It might be useful to spend some time learning about the various smtpd access checks. http://www.postfix.org/SMTPD_ACCESS_README.html http://www.postfix.org/postconf.5.html#smtpd_helo_restrictions In this case, we're talking about check_helo_access, which can be placed under smtpd_helo_restrictions, or if you have the default smtpd_delay_reject = yes, you can place it in smtpd_recipient_restrictions or earlier. For example: main.cf: smtpd_recipient_restrictions = reject_non_fqdn_recipient reject_non_fqdn_sender reject_unlisted_recipient check_recipient_access pcre:/etc/postfix/invalid_recipients.pcre permit_mynetworks reject_unauth_destination ... check_helo_access pcre:/etc/postfix/helo_checks.pcre reject_invalid_helo_hostname check_sender_access hash:/etc/postfix/sender_checks reject_rbl_client zen.spamhaus.org ... permit And a sample helo_checks.pcre file: helo_checks.pcre: # Using our domain name... /^mydomain\.com$/ REJECT Hijacked hostname "mikecappella.com" # Using our IP address... /^192\.168\.0\.1$/ REJECT Hijacked IP "192.168.0.1" # Using "localhost": no good, we're localhost /^localhost$/ REJECT Unacceptable: "localhost" /^localhost\.localdomain$/ REJECT Unacceptable: "localhost.localdomain" /^friend$/ REJECT Unacceptable: "friend" /^computer$/ REJECT Unacceptable: "computer" !/\./ REJECT Unacceptable: Unqualified hostname > Do I need to create any separate file for helo_checks.pcre? And do the > postmap after? Yes, you need to create the file. I use pcre tables - your postfix may not include this table type. Check postconf -m. If it does not, use another table type and modify the expressions above to work for your installation. Pcre and regexp tables do not require postmap: db tables do, so it depends on what lookup table type you use. > How do I do this? I am really a beginner. Sorry. > Help me more. > Thanks, > > Justin > > There are many discussions on the postfix list about various access checks. For example: http://groups.google.com/group/list.postfix.users/browse_thread/thread/ab28f3a80908e260/eab8f9d7c77b3c11?lnk=gst&q=check_helo_access&rnum=34# You might benefit greatly from The Book of Postfix: http://www.postfix-book.com/ MrC ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
