Replies in the middle of the email for clarity. On Mon, 22 Jan 2018 17:18:42 -0500 "Bill Cole" <postfixlists-070...@billmail.scconsult.com> wrote:
> On 21 Jan 2018, at 20:44 (-0500), li...@lazygranch.com wrote: > > > The reverse DNS can only point to one domain > > name. > > Not so. Multiple PTR records for one address may violate some > people's expectations, but it's not wrong if the address doesn't > really have a public name that is more "real" than the others. > OK, on Digital Ocean, you only get one reverse DNS per "droplet". So if I do a reverse DNS lookup on some IP addresses, I will get multiple domains? > > If you are hosting multiple domains on one server, > > Niggle: not one server, one IP address. A server can have many IP > addresses and there's a long history of people asking here how to > make Postfix use specific IPs for specific domains, for essentially > cosmetic reasons. The multi-instance support mostly ended that FAQ. Yeah, I screwed up. > > > all MX records > > should point to the domain name that has the PTR record. > > That really makes no difference. It is arguably good practice to have > a PTR reversing every A record but simplicity is arguably more > important, so having just one A and one PTR for each name/IP pair is > fine, even if that IP is handling mail for many domains. > And in practice, doing it wrong doesn't seem to stop the email from going out. As it turns out, between the two Digital Ocean droplets I'm running (the one I'm on now and the new one I'm setting up), none have the reverse DNS set up properly. Reading the postfix documentation, all that is required is a reverse DNS point to something. There doesn't have to be a match. "reject_unknown_reverse_client_hostname Reject the request when the client IP address has no address->name mapping." I put in a few "features" from this website: http://en.linuxreviews.org/HOWTO_Stop_spam_using_Postfix This link is similar, though he suggests fail2ban. I find the anvil code works good enough. http://centosfaq.org/centos/sasl-attacks-and-spam/ Comments appreciated. I generally just trawl this list and makes changes as people suggest. Or not change anything as Viktor always suggests. ;-) # SASL smtpd_sasl_type = dovecot broken_sasl_auth_clients = yes smtpd_helo_required = yes smtpd_sasl_path = private/auth smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unauth_pipelining, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_non_fqdn_recipient, reject_rbl_client rhsbl.scientificspam.net, reject_rbl_client bl.spamcop.net, reject_rbl_client cbl.abuseat.org, reject_rbl_client b.barracudacentral.org, reject_rbl_client ix.dnsbl.manitu.net, reject_rbl_client rabl.nuclearelephant.com, reject_rbl_client zen.spamhaus.org, check_policy_service unix:private/policy smtpd_client_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unknown_reverse_client_hostname, check_client_access hash:/etc/postfix/spamsources smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unknown_address, check_sender_access hash:/etc/postfix/spamsources smtpd_relay_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_policy_service unix:private/policy #lines added after hacker attack smtpd_error_sleep_time = 2s smtpd_soft_error_limit = 3 smtpd_hard_error_limit = 6 smtpd_client_connection_rate_limit = 3 smtpd_client_auth_rate_limit = 20 smtpd_client_connection_count_limit = 3 smtpd_client_new_tls_session_rate_limit = 3 smtpd_client_recipient_rate_limit = 3 smtpd_recipient_limit = 14
