On 10-Mar-2009, at 09:59, Linux Addict wrote:
smtpd_recipient_restrictions =
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
I have reject_invalid_hostname here as well (before permit_mynetworks)
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_unlisted_recipient,
I have reject_unlisted_sender instead, followed by:
check_client_access cidr:/var/db/dnswl/postfix-dnswl-permit
check_helo_access pcre:$config_directory/helo_checks.pcre,
check_sender_access pcre:$config_directory/sender_access.pcre,
check_client_access pcre:$config_directory/check_client_fqdn.pcre,
check_recipient_access pcre:$config_directory/recipient_checks.pcre,
check_client_access hash:$config_directory/access,
reject_invalid_hostname,
reject_invalid_helo_hostname
These are redundant
reject_non_fqdn_helo_hostname
reject_unauth_pipelining,
Why?
reject_unknown_reverse_client_hostname
You might want reject_unknown_client_hostname instead. Either way,
this is probably not the best thing if you are accepting mail for
others. You WILL lose email that they will consider to be legitimate.
While it is nice to be able to say "Your network is misconfigured" the
truth is, if you're handling mail for anyone else you need to be as
accepting as is reasonably possible.
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net,
I would be very very careful about using spamcop if you are accepting
mail for others.
permit
In general you want to structure the order from 'cheapest' to most
'expensive'. Everything before permit_myneworks is stuff that should
be rejected no matter who is sending it, which is why I have
invalid_hostname there. Then any other checks that are cheap, followed
by any checks that requires has/mysql/cidr/pcre lookups because these
are slightly more expensive. Last of all is the RBLs (well, RBL in my
case, I only use zen).
--
Growing up leads to growing old, and then to dying/And dying to me
don't sound like all that much fun.
