MacShane, Tracy a écrit : > > >> -----Original Message----- >> From: owner-postfix-us...@postfix.org >> [mailto:owner-postfix-us...@postfix.org] On Behalf Of Alberto Lepe >> Sent: Monday, 16 March 2009 4:18 PM >> To: postfix-users@postfix.org >> Subject: Too strict? >> >> Hello, and thank you in advance for your time! >> >> I have been setting up a mail server since more than a week >> and after reading several posts/articles and some pages of >> the Postfix manual, I'm a little confused about how to setup >> the security. >> The mail server is outside my LAN and it will be used to >> serve some domains, with maybe 10 users per domain. >> >> This is my main.cf (restrictions): >> >> smtpd_data_restrictions = reject_unauth_pipelining >> smtpd_recipient_restrictions = >> reject_non_fqdn_sender, >> reject_non_fqdn_recipient, >> permit_mynetworks, >> permit_sasl_authenticated, >> # reject_unknown_sender_domain, >> # reject_unknown_recipient_domain, >> reject_unauth_destination, >> reject_invalid_helo_hostname, >> reject_unlisted_recipient, >> reject_unlisted_sender, >> reject_invalid_hostname, >> # reject_non_fqdn_hostname, >> # reject_unknown_client_hostname, >> reject_rbl_client zen.spamhaus.org, >> reject_rbl_client bl.spamcop.net, >> permit >> > > Leaving aside the other comments people have made, I have > reject_unknown_sender_domain (AFTER reject_unauth_destination) and > reject_non_fqdn_hostname configured. The latter check in particular > rejects thousands of connections a day so I don't have to keep hitting > the Zen lookups. No FPs that I've ever been made aware of. > reject_unlisted_recipient is redundant, since it's "yes" by default (but > no harm leaving it in).
depending on the situation, I have seen reject_non_fqdn_helo_hostname block from 18% tp 45% of junk (compared to what is blocked at postfix time). The "high" numbers here are seen when this check is done "soon". in particluar, before reject_unlisted_* and reject_rbl_client. if however you put the check after reject_unlisted_* and zen check, the ratio is a lot less than 1% here. so the check is only useful in few situations: - you don't use zen: you don't trust it, or you get too much mail to use zen for free, and you don't wanna pay for a feed. - you don't want to do recipient validation at this time. with postfix, this argument is a bit weak. on this server, today (at this time), among postfix rejections, 93.46% are rejected by "safe" checks: Recipient unknown: 55.47 % DNSBL zen.spamhaus.org: 23.28 % Sender unknown: 8.21 % Relay Attempt: 6.5 % (the few other checks are not really necessary. I have some snowshoe checks that I will convert into spamassassin checks) and judging from SA results, 1.68 % spam has not been blocked by postfix. In short, the set: reject_unauth_destination reject_unlisted_recipient reject_unlisted_sender reject_rbl_client zen.spamhaus.org is both safe and efficient.