Recently, Somebody Somewhere wrote these words
>
> And for postfix users who want to put a stranglehold on spam at the
> smtp level, and avoid SA and it's huge penalty, look at the postfix
> man pages for the following (note, this is very restrictive, and order
> is important):
>
> smtpd_recipient_restrictions =
> reject_non_fqdn_recipient
> reject_non_fqdn_sender
> reject_unknown_sender_domain
> reject_unknown_recipient_domain
> permit_mynetworks
> reject_unauth_destination
> check_recipient_access hash:/etc/postfix/roleaccount_exceptions
> check_helo_access pcre:/etc/postfix/helo_checks
> warn_if_reject reject_non_fqdn_hostname
> reject_invalid_hostname
> check_sender_mx_access cidr:/etc/postfix/bogus_mx
> reject_rbl_client sbl-xbl.spamhaus.org
> reject_rbl_client relays.ordb.org
> reject_unverified_sender
I am no expert on smtp, or email in general. So I went away and looked
at this. I can only implement a fraction of it without causing ripples.
I can see the benefit of smtp level rejection. It is the superior way.
But not from here, imho.
First of all, I am separated from the spammer, i.e. I have no smtp
transaction with him. The first my postfix sees of a mail is a
transaction with fetchmail running locally, and postfix is usually going
to accept pop.iol.ie, because it's in files here.
Received: from pop.iol.ie by localhost with POP3 (fetchmail-6.2.5) for
[EMAIL PROTECTED] (single-drop); Wed, 16 Nov 2005 14:44:48 +0000 (GMT)
Second, some of the spam and all of my false positives via iol.ie come
through the blfs-support list, and bounces to a list get the address
unsubscribed. (My NTL adresses still harvest mainly spam.) I am
presuming there is smtp rejection rules implemented on
linuxfromscratch.org. If there isn't, let us know. Also, if
linuxfromscratch.org wants dozens or hundreds of bounces from smtp
level rejections downline, let us know. I don't bounce verifiable
spam - I sideline or delete, as I believe an end user should.
Third, If I applied things like reject_non_fqdn_sender,
reject_unknown_sender_domain or reject_unverified_sender I would bounce
several list members with half cocked mail setups, I suspect.
Fourthly, I would also note that I receive no mail until my isp has
terminated his transaction with the spammer, and then scanned it fairly
thoroughly(some seconds), and then held it for collection (Some minutes
or hours). That leaves me unclear what percentage of bounces will
actually reach a spammer, or more likely waste bandwidth on legit
servers until it double bounces somewhere and gets ditched.
Lastly,the smtp restrictions on esat.net/iol.ie are extremely thorough.
sbl-xbl.spamhaus.org & relays.ordb.org are already checked and rejected
upstream. Even Ireland's worst isp, ntlworld.ie, blocks off several
dns blocklists. Further checking is therefore pointless, except for the
ntl addresses on the more obscure blocklists.
--
With best Regards,
Declan Moriarty.
--
http://linuxfromscratch.org/mailman/listinfo/blfs-support
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
