Willy De la Court a écrit : > Hi all, > > Just a question about spam prevention and resource optimalisation. > > What is the best way to go. I have this as spam prevention at the moment. > > smtpd_helo_restrictions = > permit_mynetworks, > permit_sasl_authenticated, > reject_non_fqdn_hostname, > reject_invalid_hostname, > permit > > smtpd_sender_restrictions = > permit_mynetworks, > permit_sasl_authenticated, > reject_non_fqdn_sender, > reject_unknown_sender_domain, > permit > > smtpd_recipient_restrictions = > permit_mynetworks, > permit_sasl_authenticated, > reject_unauth_pipelining,
useless. > reject_non_fqdn_recipient, > reject_unknown_recipient_domain, useless. you're checking your own domains and domains that will be rejected by reject_unauth_destination. > reject_unauth_destination, > reject_invalid_hostname, > reject_rbl_client bl.spamcop.net, > reject_rbl_client zen.spamhaus.org, > reject_unlisted_recipient, > check_policy_service inet:127.0.0.1:60000, > permit > > This mean that there are a number of tests before the actual recipient > address is tested, would it not be better to place the > reject_unlisted_recipient very early in the chain? it would avoid doing DNS queries when the recipient is invalid. This reduces the load of your server and that of DNSBL servers. see below for a better way to do your checks. > Or am I wrong here. In > placing the reject_unlisted_recipient earlier in the chain would I not make > it easier for dictionary attacks to succeed? Forget about dictionary attacks. The only spam that seems to target valid addresses only is "snowshoe spam", but then it won't be blocked by any of your checks. Other than that I keep seeing the same (invalid) addresses hit again and again. > The check_policy_server is the > postgrey implementation of http://postgrey.schweikert.ch/ > > I added the reject_unlisted_recipient before the postgrey policy test > because I noticed unknown recipients being passed to the postgrey policy > test. > Make sure you have: unknown_local_recipient_reject_code = 550 if this doesn't fix your problem, post a _new_ question, with infos as recommended in the DEBUG README. > Any comments would be welcome. > Assuming the default smtpd_delay_reject=yes, consider putting all your anti-spam checks under smtpd_recipient_restrictions. remove smtpd_helo_restrictions and smtpd_sender_restrictions, and set: smtpd_recipient_restrictions = reject_non_fqdn_sender reject_non_fqdn_recipient permit_mynetworks permit_sasl_authenticated reject_unauth_destination reject_unlisted_recipient reject_invalid_hostname reject_non_fqdn_hostname reject_rbl_client zen.spamhaus.org reject_rbl_client bl.spamcop.net reject_unknown_sender_domain check_policy_service inet:127.0.0.1:60000
