On Jul 17, 2007, at 10:25 PM, Dallin Jones wrote:
I do a few different things. I started having a lot of troubles with
my mail server when it started getting spammed pretty bad. I have
Postfix using Amavis to push the email through ClamAV and SpamAssasin.
My server was brought to it's knees. It was running at 98-99%
processor load and it would take hours for email to go through. So
here is what I did:
First I added a helo restriction using this:
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks,
check_helo_access hash:/etc/postfix/helo_access,
reject_non_fqdn_hostname,
reject_invalid_hostname,
permit
This eliminated about 80% of my spam. The helo_access file allows me
to make exceptions for my clients that have broken networks. In
addition, this file includes rejects for anything coming from itself.
(Handy since most Spammers try to pretend they are you, hoping to get
around your relay restrictions) It looks similar to this:
mydomain.com REJECT You are not me!
localhost REJECT You are not me!
127.0.0.1 REJECT You are not me!
localhost.localdomain REJECT You are not me!
This is an interesting (to me) approach. I've tried to use it, but
get the following:
fatal: open database /etc/postfix/helo_access.db: Inappropriate file
type or format
I admit, all I did was copy and slightly modify the above lines to
see what it would do. :)
Next I added this to my main.cf
smtpd_sender_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
permit
Forcing everything to use a fully qualified domain name helped
eliminate a ton of spam. The next item I did was the last of the light
weight stuff, this catches almost everything else:
smtpd_recipient_restrictions =
reject_unauth_pipelining,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination
check_sender_access
hash:/etc/postfix/sender_access,
check_recipient_access
hash:/etc/postfix/recipient_access,
check_helo_access
hash:/etc/postfix/secondary_mx_access,
reject_rbl_client list.dsbl.org
reject_rbl_client sbl-xbl.spamhaus.org,
permit
This is also valuable stuff as well, as there are a few directives
here that I've not seen before. I wanted to ask about the format of
the sender_access, recipient_access, and secondary_mx_access files to
which you refer above. Are these basically whitelists? If so, how do
you format the files?
I feel like such a noob. :)
-- Kimball
/*
PLUG: http://plug.org, #utah on irc.freenode.net
Unsubscribe: http://plug.org/mailman/options/plug
Don't fear the penguin.
*/
