Jeroen Geilman said:
Make sure you understand the difference between
smtpd_reject_unknown_helo_hostname and
smtpd_reject_unknown_[reverse_]client_hostname.
Ok - here's what I understand them each to be:
- reject_unknown_helo_hostname will reject a request if the remote
mail server doesn't have an A or MX record
- reject_unknown_client_hostname will reject if a) the remote server
fails a reverse lookup (IP points to name), b) fails a forward lookup (name
resolves to IP), or c) if the published DNS settings for the hostname state
that the IP for the hostname is different than what the remote server is
reporting it to be.
- reject_unknown_reverse_client_hostname is less restrictive and will
reject only if the remove server fails a reverse lookup.
----------------
No, you definitely want that set to "yes". Not requiring HELO means the helo
tests are skipped altogether as there's nothing to match them against.
Gotit. I've now got "smtpd_helo_required = yes" in my config.
So here are my current "spam fighting" settings, based on the input from
this list:
smtpd_helo_required = yes
disable_vrfy_command = yes
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination,
reject_unknown_reverse_client_hostname,
warn_if_reject reject_non_fqdn_helo_hostname,
warn_if_reject reject_invalid_helo_hostname,
warn_if_reject reject_unknown_helo_hostname,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
check_helo_access hash:/etc/postfix/helo_access,
check_client_access pcre:/etc/postfix/fqrdns.pcre,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client psbl.surriel.com,
reject_rhsbl_client dbl.spamhaus.org,
reject_rhsbl_sender dbl.spamhaus.org,
reject_rhsbl_helo dbl.spamhaus.org,
permit
smtpd_data_restrictions =
reject_unauth_pipelining,
permit
I noticed Jeroen's smtpd_recipient_restrictions included
reject_unauth_pipelining, but from what I can tell in the docs I'm supposed
to put it in smtpd_data_restrictions. Am I misunderstanding that?
BIG thanks also to everyone who has given me friendly nudges in the right
direction. My server now rejects at least 10-20x what it was before, and my
client-side SPAM filter isn't getting that much to chew on any more (apart
from properly configured SPAM ;) ).
Thanks,
Steve
