Paul Cartwright put forth on 12/8/2010 8:21 AM: > I didn't realize they were order specific.. > it now reads: > smtpd_recipient_restrictions = permit_mynetworks > permit_sasl_authenticated, reject_unauth_destination check_client_access > pcre:/etc/postfix/fqrdns.pcre, reject_rbl_client dnsbl.sorbs.net, > reject_rbl_client zen.spamhaus.org, reject_rhsbl_sender dbl.spamhaus.org > reject_rhsbl_helo dbl.spamhaus.org, > reject_unknown_sender_domain,reject_unknown_recipient_domain, > reject_non_fqdn_sender, reject_non_fqdn_recipient, check_client_access > cidr:/etc/postfix/china.cidr > > and reload postfix.. > is that better?
While discussing restrictions in main.cf only, and specifically order processing, it would actually be better if you pasted main.cf snippets instead of postconf -n snippets, contrary to the list guidelines. That looks logically correct, but needs some tweaking for best performance. As a general rule for smtpd_foo_restrictions: 1. inbuilt Postfix checks are fastest (eg. reject_non_fqdn_sender) 2. local table lookups are 2nd fastest (eg. hash, cidr, pcre) 3. policy servers can be fast or not so fast, depending on what they do 4. dnsbl lookups require a remote network query--typically slowest >> check_client_access pcre:/etc/postfix/fqrdns.pcre >> instead. > > ah, yup, Debian Lenny, running > ii postfix 2.5.5-1.1 Postfix 2.7.1 is available in Debian Backports. I just installed it a week or so ago and it works great so far, and enables the better/extra parameters. You should upgrade. Follow the instructions here: http://www.backports.org/dokuwiki/doku.php?id=instructions -- Stan
