MacShane, Tracy a écrit :
>
>
>> -----Original Message-----
>> From: owner-postfix-us...@postfix.org
>> [mailto:owner-postfix-us...@postfix.org] On Behalf Of Alberto Lepe
>> Sent: Monday, 16 March 2009 4:18 PM
>> To: postfix-users@postfix.org
>> Subject: Too strict?
>>
>> Hello, and thank you in advance for your time!
>>
>> I have been setting up a mail server since more than a week
>> and after reading several posts/articles and some pages of
>> the Postfix manual, I'm a little confused about how to setup
>> the security.
>> The mail server is outside my LAN and it will be used to
>> serve some domains, with maybe 10 users per domain.
>>
>> This is my main.cf (restrictions):
>>
>> smtpd_data_restrictions = reject_unauth_pipelining
>> smtpd_recipient_restrictions =
>> reject_non_fqdn_sender,
>> reject_non_fqdn_recipient,
>> permit_mynetworks,
>> permit_sasl_authenticated,
>> # reject_unknown_sender_domain,
>> # reject_unknown_recipient_domain,
>> reject_unauth_destination,
>> reject_invalid_helo_hostname,
>> reject_unlisted_recipient,
>> reject_unlisted_sender,
>> reject_invalid_hostname,
>> # reject_non_fqdn_hostname,
>> # reject_unknown_client_hostname,
>> reject_rbl_client zen.spamhaus.org,
>> reject_rbl_client bl.spamcop.net,
>> permit
>>
>
> Leaving aside the other comments people have made, I have
> reject_unknown_sender_domain (AFTER reject_unauth_destination) and
> reject_non_fqdn_hostname configured. The latter check in particular
> rejects thousands of connections a day so I don't have to keep hitting
> the Zen lookups. No FPs that I've ever been made aware of.
> reject_unlisted_recipient is redundant, since it's "yes" by default (but
> no harm leaving it in).
depending on the situation, I have seen reject_non_fqdn_helo_hostname
block from 18% tp 45% of junk (compared to what is blocked at postfix time).
The "high" numbers here are seen when this check is done "soon". in
particluar, before reject_unlisted_* and reject_rbl_client.
if however you put the check after reject_unlisted_* and zen check, the
ratio is a lot less than 1% here.
so the check is only useful in few situations:
- you don't use zen: you don't trust it, or you get too much mail to use
zen for free, and you don't wanna pay for a feed.
- you don't want to do recipient validation at this time. with postfix,
this argument is a bit weak.
on this server, today (at this time), among postfix rejections, 93.46%
are rejected by "safe" checks:
Recipient unknown: 55.47 %
DNSBL zen.spamhaus.org: 23.28 %
Sender unknown: 8.21 %
Relay Attempt: 6.5 %
(the few other checks are not really necessary. I have some snowshoe
checks that I will convert into spamassassin checks)
and judging from SA results, 1.68 % spam has not been blocked by postfix.
In short, the set:
reject_unauth_destination
reject_unlisted_recipient
reject_unlisted_sender
reject_rbl_client zen.spamhaus.org
is both safe and efficient.
