On Wed, 12 Nov 2008, Roderick A. Anderson wrote:
Wietse Venema wrote:
Roderick A. Anderson:
I'm implementing greylisting on CentOS 5 systems.
These are spools for the actual mailserver/mailbox systems.
Currently we have:
smtpd_recipient_restrictions =
reject_unauth_pipelining, cheap
reject_non_fqdn_sender, cheap
reject_non_fqdn_recipient, cheap
reject_unknown_recipient_domain, expensive
reject_unknown_sender_domain, expensive
reject_unlisted_recipient, medium
permit_mynetworks, cheap
reject_unauth_destination, cheap
reject_invalid_hostname, cheap
reject_non_fqdn_hostname, cheap
reject_rbl_client zombie.dnsbl.sorbs.net, expensive
reject_rbl_client cbl.abuseat.org, expensive
permit
Generally, put expensive checks after cheap ones (policy server
lookup is cheap to medium, depending on what it does).
If a policy server can return "ok", then never put it before
reject_unauth_destination, otherwise you could become an open relay.
Aren't there other order sensitive issues? I'd like to make sure I have the
safest and most optimal settings.
Rod, it is how you want to run things.
For example you can greylist first but then if the spammer comes back,
that's another connection, etc, to be later rejected by some other rule.
Personally I typically have my checks as Wietse suggests, cheap checks
first and then greylisting, rbl checks, postfwd, etc, last.
Justin.
