On Sun, 02 Aug 2009 11:24:17 +0100, Clunk Werclick <clunk.wercl...@wibblywobblyteapot.co.uk> wrote: > On Sun, 2009-08-02 at 11:56 +0200, Willy De la Court wrote: >> Hi all, >> >> Just a question about spam prevention and resource optimalisation. >> [SNIP] >> >> This mean that there are a number of tests before the actual recipient >> address is tested, would it not be better to place the >> reject_unlisted_recipient very early in the chain? Or am I wrong here. In >> placing the reject_unlisted_recipient earlier in the chain would I not >> make >> it easier for dictionary attacks to succeed? The check_policy_server is >> the >> postgrey implementation of http://postgrey.schweikert.ch/ >> >> I added the reject_unlisted_recipient before the postgrey policy test >> because I noticed unknown recipients being passed to the postgrey policy >> test. >> >> Any comments would be welcome. > Hello Willy, > > It depends on how aggressive you wish to be. Looking at the last half an > hour in my logs, the statistics show my blocking going on. The big fishy > is 'No PTR' (in words of another no reverse DNS at all) then followed by > spoof attempts (b...@example.com to b...@example.com). > > I block both of these types before passing to a big list of dnsbl's - > but they may not be entirely suitable in production and it depends upon > your BOFH mentality/level -v- your users complaining; > > > smtpd_sender_restrictions = > permit_mynetworks > permit_sasl_authenticated > reject_unauth_destination > reject_unknown_reverse_client_hostname
This one seems interesting. Need to try it out. > check_sender_access hash:/etc/postfix/nospoof The nospoof is a big nono for me. > reject_rbl_client no-more-funn.moensted.dk > reject_rbl_client bl.spamcop.net > reject_rbl_client dnsbl-1.uceprotect.net > reject_rbl_client dnsbl-2.uceprotect.net > reject_rbl_client dnsbl-3.uceprotect.net > reject_rbl_client dnsbl.sorbs.net > reject_rbl_client bl.spamcannibal.org > reject_rbl_client spam.dnsbl.sorbs.net > reject_rbl_client zen.spamhaus.org > reject_rbl_client b.barracudacentral.org > permit [SNIP] wow a lot of rbls. I used to use some of these but got a lot of complaints so i'm sticking with just spamcop and spamhaus. > ... > Have much fun and remember some spam is nice. Especially in a baguette > with some 'daddies' sauce Yep very nice. -- Simple things make people happy. Willy De la Court PGP Public Key at http://www.linux-lovers.be/download/public_key.asc PGP Key fingerprint = 784E E18F 7F85 9C7C AC1A D5FB FE08 686C 37C7 A689 GMail <wdl1...@gmail.com>