On Thu, Sep 4, 2008 at 10:05 AM, mouss <[EMAIL PROTECTED]> wrote: > >> The only ones I'm unsure on are... >> >> smtpd_sender_restrictions = >> reject_unknown_sender_domain,permit_mynetworks,permi >> t_sasl_authenticated,reject_non_fqdn_sender,permit >> >> smtpd_recipient_restrictions = >> reject_unknown_recipient_domain,permit_mynetworks >> >> ,permit_sasl_authenticated,reject_unauth_destination,reject_unauth_pipelining,re >> >> ject_invalid_hostname,reject_non_fqdn_hostname,reject_non_fqdn_sender,reject_non >> _fqdn_recipient,reject_unknown_sender_domain,reject_rbl_client >> bl.spamcop.net,re >> ject_rbl_client dnsbl.sorbs.net,reject_rbl_client zen.spamhaus.org,permit >> >> smtpd_delay_reject = yes >> smtpd_helo_required = yes >> smtpd_helo_restrictions = >> permit_mynetworks,permit_sasl_authenticated,reject_inv >> >> alid_helo_hostname,reject_non_fqdn_helo_hostname,reject_unknown_helo_hostname >> >> I guess this is bloated but I'm trying to mirror, sendmails bad_helo, >> bad_mx, PTR and FWD enforcment and so on. >> >> > - it is simpler to put all your restrictions under > smtpd_recipient_restrictions (remove smtpd_sender_restrictions and > smtpd_helo_restrictions). the result is the same, but you have a sequential > list (easier to read and maintain) and you don't need to repeat the > "permit_*" whitelisting checks. >
OK, thats much neater, but if I choose to use sendmail access style file , include that there? or then I need to create sender restrictions? > > smtpd_recipient_restrictins = > reject_unknown_sender_domain > reject_unknown_recipient_domain > permit_mynetworks > permit_sasl_authenticated > reject_non_fqdn_sender > reject_non_fqdn_recipient > reject_unauth_destination > reject_invalid_helo_hostname > reject_non_fqdn_hostname > # no point to query dns if address does not exist > reject_unlisted_recipient > reject_unlisted_sender > # the following check will catch legitmate mail > reject_unknown_helo_hostname > reject_rbl_client zen.spamhaus.org > reject_rbl_client bl.spamcop.net > reject_rbl_client dnsbl.sorbs.net > > smtpd_data_restrictions = > reject_unauth_pipelining > > > why do you use the reject_unknown_mumble_domain "soon"? do you want to > reject your own users mail if the sender or rcpt domain doesn't resolve? > This may be undesirable: if you have a dns failure, you force the user to > retry later, which is not very friendly. > No point in our mail queues filling up if someone gets a virus that uses our server to relay, a bunch of goblygook that I cant return to them, best they have the problem then our servers, likewise for recipient domains that dont exist, I'm dissappointed I dont seem to be able to 55x those like I can with SM, otherwise everything is running pretty well on dev. > > I also suggesting removing reject_unknown_helo_hostname because it does > catch legitimate mail. > Aware of those risks, have been ujsing it for years without problems. > > if you want to enforce FcrDNS (ip->ptr->ip match), then you want > reject_unknown_client. however, this will catch legitimate clients (even > well configured ones if there is a DNS pro We dont need exact matching, but ip must resolve and the hostname it resolves to must have an ip, that also resolves if it is different, no exact triple matching, like most ircd's perform. Thanks for your help, much appreciated.
