> -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Chris Turan > Sent: Tuesday, 9 December 2008 7:39 AM > To: Terry Carmen > Cc: postfix-users@postfix.org > Subject: Re: Stopping backscatter with before-queue > > Terry Carmen wrote: > > To eliminate *sending* backscatter, all you need to do is not accept
> > mail you won't be able to deliver: > > I am rejecting unknown recipients but the bounces are coming from > messages with a spamassassin score above 12. > > > Hmmm. I did get a suggestion about checking the headers against RBL's > using builtin postfix content filters. After that, it can be passed > onto the real scanners. > > I get 10K emails per day, so its still fairly small. Do you have a > before-queue scanner installed? There are warnings all over > amavisd-new's documentation saying not to use it as a before queue > scanner and rightly so. > > > Back to your actual problem, if you can post the output > from postconf > > -n, someone can probably tell you what's wrong. > > [EMAIL PROTECTED] /]# postconf -n > alias_maps = hash:/etc/aliases > bounce_queue_lifetime = 4h > command_directory = /usr/sbin > config_directory = /etc/postfix > content_filter = amavis:[127.0.0.1]:10024 > daemon_directory = /usr/libexec/postfix > debug_peer_level = 2 > home_mailbox = Maildir/ > html_directory = no > inet_interfaces = all > local_recipient_maps = > mail_owner = postfix > mailq_path = /usr/bin/mailq.postfix > manpage_directory = /usr/share/man > maximal_queue_lifetime = 1d > message_size_limit = 20971520 > mynetworks = a.a.a.a/32, b.b.b.b/32, c.c.c.c/32, d.d.d.d/32, > e.e.e.e/32 > newaliases_path = /usr/bin/newaliases.postfix > queue_directory = /var/spool/postfix > readme_directory = /usr/share/doc/postfix-2.4.5/README_FILES > receive_override_options = no_address_mappings > relay_domains = hash:/etc/postfix/relay_domains > relay_recipient_maps = hash:/etc/postfix/relay_recipient_maps > sample_directory = /usr/share/doc/postfix-2.4.5/samples > sendmail_path = /usr/sbin/sendmail.postfix > setgid_group = postdrop > smtpd_tls_CAfile = /etc/postfix/certs/gd_intermediate_bundle.crt > smtpd_tls_CApath = /etc/postfix/certs > smtpd_tls_cert_file = /etc/postfix/certs/xxxxxxxx.crt > smtpd_tls_key_file = /etc/postfix/certs/xxxxxxxx.key > smtpd_tls_loglevel = 1 > smtpd_tls_received_header = yes > smtpd_tls_security_level = may > smtpd_use_tls = yes > transport_maps = hash:/etc/postfix/transport_maps > unknown_local_recipient_reject_code = 550 I don't see the smtpd_*_restrictions. Sensible ones there cut down on acres of spam and take load off the content scanner, without much in the way of false positives (in fact, I have none). I suggest (after permit_mynetworks, for each set): smtpd_helo_restrictions = reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, (this one traps the most from bots) smtpd_client_restrictions = reject_non_fqdn_hostname, reject_unknown_reverse_client_hostname OR reject_unknown_client_hostname (this one tends to cause more false positives, due to idiots configuring their DNS) smtpd_sender_restrictions = reject_non_fqdn_sender, reject_unknown_sender_domain smtpd_recipient_restrictions = reject_unauth_destination reject_non_fqdn_recipient, reject_rbl_client zen.spamhaus.org, smtpd_data_restrictions = reject_unauth_pipelining Also set strict_rfc821_envelopes = yes (unless you have ancient mail clients you need to support) All my senders are in mynetworks (or I'd be using auth, in any case), so I can have a sender access map (after permit_mynetworks) that basically consists of "@mydomain.com REJECT". You can have helo access maps that reject servers purporting to be your own.
