On Tue, 2009-08-04 at 04:17 -0400, Dave wrote: > Hello, > I'm trying to adjust my current antispam measures as they are no > longer working. I'm running postfix 2.3 on a rel5 machine. I've got the > below, which is a postconf -n output of my current configuration. To it i'd > like to add spf, and postgrey support in smtpd_recipient_restrictions after > the rbl checks, and dkim-milter last in the file. I'd appreciate any > feedback on these settings and suggested improvements if any. > Thanks. > Dave. > > address_verify_map = btree:/var/spool/postfix/verified_senders > alias_database = hash:/etc/postfix/aliases > alias_maps = hash:/etc/postfix/aliases > biff = no > broken_sasl_auth_clients = yes > canonical_maps = hash:/etc/postfix/canonical > command_directory = /usr/sbin > config_directory = /etc/postfix > daemon_directory = /usr/libexec/postfix > disable_vrfy_command = yes > empty_address_recipient = MAILER-DAEMON > home_mailbox = Maildir/ > html_directory = no > inet_interfaces = 127.0.0.1, <External IP> > invalid_hostname_reject_code = 554 > local_recipient_maps = proxy:unix:passwd.byname $alias_maps > mail_owner = postfix > mail_spool_directory = /var/spool/mail > mailbox_size_limit = 104857600 > mailq_path = /usr/bin/mailq.postfix > manpage_directory = /usr/share/man > message_size_limit = 20971520 > multi_recipient_bounce_reject_code = 554 > mydomain = example.com > myhostname = mail.example.com > mynetworks = 127.0.0.0/8 > myorigin = $mydomain > newaliases_path = /usr/bin/newaliases.postfix > non_fqdn_reject_code = 554 > queue_directory = /var/spool/postfix > readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES > recipient_delimiter = + > relay_domains_reject_code = 554 > sample_directory = /usr/share/doc/postfix-2.3.3/samples > sendmail_path = /usr/sbin/sendmail.postfix > setgid_group = postdrop > show_user_unknown_table_name = no > smtp_helo_timeout = 60s > smtpd_banner = $myhostname > smtpd_data_restrictions = reject_unauth_pipelining > smtpd_error_sleep_time = 5s > smtpd_hard_error_limit = 20 > smtpd_helo_required = yes > smtpd_recipient_restrictions = reject_invalid_hostname, > reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, > reject_unknown_sender_domain, reject_unknown_recipient_domain, > reject_unverified_sender reject_unverified_recipient > reject_multi_recipient_bounce, permit_sasl_authenticated, permit_mynetworks, > reject_unauth_destination, check_recipient_access > pcre:/etc/postfix/recipient_checks.pcre, check_helo_access > hash:/etc/postfix/helo_checks, check_sender_access > hash:/etc/postfix/sender_checks, check_sender_mx_access > cidr:/etc/postfix/bogus_mx check_recipient_access > hash:/etc/postfix/recipient_access check_client_access > hash:/etc/postfix/client_checks, check_client_access > pcre:/etc/postfix/client_checks.pcre, reject_rbl_client > zen.spamhaus.org, reject_rbl_client black.uribl.com, reject_rbl_client > combined.rbl.msrbl.net, reject_rhsbl_sender dsn.rfc-ignorant.org > smtpd_sasl_auth_enable = yes > smtpd_sasl_local_domain = > smtpd_sasl_path = private/auth > smtpd_sasl_security_options = noanonymous > smtpd_sasl_type = dovecot > smtpd_soft_error_limit = 10 > smtpd_tls_auth_only = yes > smtpd_tls_cert_file = /etc/postfix/ssl/smtp.crt > smtpd_tls_CAfile = /etc/postfix/ssl/ca-cert.pem > smtpd_tls_key_file = /etc/postfix/ssl/smtp.key > smtpd_tls_loglevel = 1 > smtpd_tls_received_header = yes > smtpd_tls_security_level = may > smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache > smtpd_tls_session_cache_timeout = 3600s > strict_rfc821_envelopes = yes > tls_random_source = dev:/dev/urandom > unknown_address_reject_code = 554 > unknown_client_reject_code = 554 > unknown_hostname_reject_code = 554 > unknown_local_recipient_reject_code = 550 > unknown_relay_recipient_reject_code = 554 > unknown_virtual_alias_reject_code = 554 > unknown_virtual_mailbox_reject_code = 554 > unverified_recipient_reject_code = 554 > unverified_sender_reject_code = 554 > virtual_alias_maps = hash:/etc/postfix/virtual_alias > virtual_gid_maps = static:5000 > virtual_mailbox_base = /home/vmail > virtual_mailbox_domains = /etc/postfix/vhosts > virtual_mailbox_maps = hash:/etc/postfix/vmaps > virtual_minimum_uid = 1000 > virtual_uid_maps = static:5000
Postgrey is a reasonable suggestion, but I don't tend to like allowing repeat connections myself. I like to do a simple 'yes or no' and not beat the bush around. If I may comment about your usage of DKIM & SPF. Many many people, even legitimate senders, don't have DKIM or SPF. So implementation would almost certainly be carnage for lots of your HAM if you decide to block on this criteria. SPF & DKIM are really only useful for white listing IMHO. What kind of spam is failing to get caught? Perhaps get Postfix to work with Spamassassin or put in some basic header/body checks to catch obvious spams? -- ----------------------------------------------------------- C Werclick .Lot Technical incompetent Loyal Order Of The Teapot. This e-mail and its attachments is intended only to be used as an e-mail and an attachment. Any use of it for other purposes other than as an e-mail and an attachment will not be covered by any warranty that may or may not form part of this e-mail and attachment.
