Re: mail aliases & spam

Thu, 14 Aug 2008 11:52:26 -0700 

John Heim wrote, at 08/14/2008 02:09 PM:


postconf on the mta:



smtpd_recipient_restrictions = reject_non_fqdn_sender, 
reject_unknown_sender_dom
ain, permit_mynetworks, reject_unauth_destination, check_sender_access 
hash:/etc

/postfix/access, permit


Try this:

smtpd_recipient_restrictions =
    reject_non_fqdn_sender
    reject_unknown_sender_domain
    permit_mynetworks
    reject_unauth_destination
    check_sender_access hash:/etc/postfix/access
    reject_non_fqdn_helo_hostname
    reject_invalid_helo_hostname
    warn_if_reject reject_unknown_reverse_client_hostname
    warn_if_reject reject_unknown_client_hostname
    check_helo_access pcre:/etc/postfix/helo
    reject_rbl_client zen.spamhaus.org
    reject_rbl_client <insert favorite RBL here>


In my experience, reject_unknown_reverse_client_hostname and 
reject_unknown_client_hostname produce false positives. However, the 
numbers have gone down, and several members of this list have reported 
the risk to be acceptable, so I am rejecting them with pretty good 
results. I am reporting misconfigurations to the legitimate sites and 
crossing my fingers. I've prepended warn_if_reject to these lines, so 
you can evaluate them before committing. I do *not* recommend changing 
unknown_client_reject_code from its default of 450. While it may result 
in more log lines from retries, I can testify from experience that DNS 
errors do happen and you don't want to permanently reject mail due to a 
transient DNS failure.



Use the check_helo_access map to effectively catch some popular obvious 
spam. In /etc/postfix/helo, I have (among others):



# Block illegal unbracketed IP addresses and bare numbers (including 
negatives)

# Examples: 192.168.1.34, 12345678, -12345678
/^[\d\.-]*$/ REJECT Unacceptable hostname in helo


# Block legal IPv4 address literals (bracketed IP addresses) due to 
surge in spam
# NOTE: Make sure your site does not need to support address literals in 
HELO

# Example: [192.168.1.34]
/^\[[\d\.]*\]$/ REJECT Policy prohibits address literals in helo

# Block localhost (unusual in HELO)
/^localhost(\.localdomain)?$/ REJECT Unacceptable hostname in helo


In addition, my first line of defense is Nolisting, which still works 
effectively against certain zombies and helps to reduce load upfront, 
using any packet filter:


 http://nolisting.org/


I supplement this with Selective Unlisting (which relies on iptables at 
the moment):


 http://unlisting.org/selective.html


With all of these in place, you are in a good position to add some RBLs 
without overloading them.  At the very least, consider zen.spamhaus.org, 
which to date has been safe enough to use for outright rejection (others 
you may want to continue to score in SA).


























					Reply via email to