On Sun, 02 Aug 2009 12:44:56 +0200, mouss <mo...@ml.netoyen.net> wrote: > Willy De la Court a écrit : >> Hi all, >> >> Just a question about spam prevention and resource optimalisation. >> >> What is the best way to go. I have this as spam prevention at the moment. >> [SNIP] >> reject_unauth_pipelining, > > useless. > >> reject_non_fqdn_recipient, >> reject_unknown_recipient_domain, > > useless. you're checking your own domains and domains that will be > rejected by reject_unauth_destination. > [SNIP] >> >> This mean that there are a number of tests before the actual recipient >> address is tested, would it not be better to place the >> reject_unlisted_recipient very early in the chain? > > it would avoid doing DNS queries when the recipient is invalid. This > reduces the load of your server and that of DNSBL servers. > > see below for a better way to do your checks. > >> Or am I wrong here. In >> placing the reject_unlisted_recipient earlier in the chain would I not >> make >> it easier for dictionary attacks to succeed? > > Forget about dictionary attacks. The only spam that seems to target > valid addresses only is "snowshoe spam", but then it won't be blocked by > any of your checks. Other than that I keep seeing the same (invalid) > addresses hit again and again.
Yes I'v seen it too. > >> The check_policy_server is the >> postgrey implementation of http://postgrey.schweikert.ch/ >> >> I added the reject_unlisted_recipient before the postgrey policy test >> because I noticed unknown recipients being passed to the postgrey policy >> test. >> > > Make sure you have: > > unknown_local_recipient_reject_code = 550 Yep just checked it it's 550 > > if this doesn't fix your problem, post a _new_ question, with infos as > recommended in the DEBUG README. > I don;t have any problems with this configuration just wanted to know how to improve the stuff. >> Any comments would be welcome. >> > > Assuming the default smtpd_delay_reject=yes, consider putting all your > anti-spam checks under smtpd_recipient_restrictions. > Yes smtpd_delay_reject=yes > remove smtpd_helo_restrictions and smtpd_sender_restrictions, and set: > > smtpd_recipient_restrictions = > reject_non_fqdn_sender > reject_non_fqdn_recipient > permit_mynetworks > permit_sasl_authenticated > reject_unauth_destination > reject_unlisted_recipient > reject_invalid_hostname > reject_non_fqdn_hostname > reject_rbl_client zen.spamhaus.org > reject_rbl_client bl.spamcop.net > reject_unknown_sender_domain > check_policy_service inet:127.0.0.1:60000 I'll see what results I get with these. Thx again for the explanation. -- Simple things make people happy. Willy De la Court PGP Public Key at http://www.linux-lovers.be/download/public_key.asc PGP Key fingerprint = 784E E18F 7F85 9C7C AC1A D5FB FE08 686C 37C7 A689