Wietse Venema wrote:
Roderick A. Anderson:
I'm implementing greylisting on CentOS 5 systems.
These are spools for the actual mailserver/mailbox systems.
Currently we have:
smtpd_recipient_restrictions =
reject_unauth_pipelining, cheap
reject_non_fqdn_sender, cheap
reject_non_fqdn_recipient, cheap
reject_unknown_recipient_domain, expensive
reject_unknown_sender_domain, expensive
reject_unlisted_recipient, medium
permit_mynetworks, cheap
reject_unauth_destination, cheap
reject_invalid_hostname, cheap
reject_non_fqdn_hostname, cheap
reject_rbl_client zombie.dnsbl.sorbs.net, expensive
reject_rbl_client cbl.abuseat.org, expensive
permit
Generally, put expensive checks after cheap ones (policy server
lookup is cheap to medium, depending on what it does).
If a policy server can return "ok", then never put it before
reject_unauth_destination, otherwise you could become an open relay.
Aren't there other order sensitive issues? I'd like to make sure I have
the safest and most optimal settings.
Rod
--
Wietse
