First of all let me apologize if you have seen this "request/query"
before. I originally posted this to Google Groups
"mailing.postfix.users", but felt that that it was probably the wrong
place to ask for advice. I then tried the Postfix oriented groups on my
news service, only to realize that the latest post other than mine was 3
weeks ago (time to get a new news service or am I seeing the end of NNTP).
I am very new to postfix and am looking for advice on my my postfix
configuration (see below), the configuration is aimed at a small group
of people (less than 25 users) who are all volunteers at a local not for
profit organization. The server is setup with no local users, and all
mail is delivered to virtual mailboxes.
1) I am using RBL + RBHL + amavis-new + spamassassin + clamv +
greylisting as anti-spam defenses.
Question: are the header and body checks still worthwhile as anti-spam
defenses? I can see the use of header checks for removing unwanted
stuff, like the various headers that get inserted during spam processing
are there any other worth while uses, if so what and where can I find
more information.
On the subject of RBL servers does anybody have any suggestions as the
RBL lists to use or avoid. I am currently using bl.spamcop.net,
zen.spamhaus.org, list.dsbl.org all of which seem to work well.
2) a lot of the configuration advice/tutorials/how-to's that I have
looked at put all the checks into the smtpd_recipient_restrictions.
Why defer killing spam, why not kill it ASAP and save spending anymore
resources processing it?
I know that smtpd_delay_reject parameter defaults to yes, therefore all
checks are deferred until recipient. But that just leads me to the same
question.
2a) have set the smtp_delay_reject = no, should I, am I giving myself a
problem by doing this?
2b) based on some things I read here, it would seem that I should add
permit_sasl_authenticated to each of the smtp_*_restriction sections is
this correct?
2c) I was originally advised to have unknown_local_recipient_reject_code
= 554 but in a couple of places I have seen it set to 550, which is better?
Supplementary, is there a list of codes, if so where?
3) Is it possible to replace the virtual_mailbox_maps =
hash:/etc/postfix/vmailbox with something like proxy maps such as
virtual_mailbox_maps = proxy:unix:passwd.byname and if so how would
implement this using Dovecot as the LDA/ MDA?
4) Are there any gotcha's in the config below.
Thanks you for your patience
John Allen
================ Main.cf ==========
# DDOS stuff
default_process_limit=20
smtpd_recipient_limit = 128
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20
smtpd_error_sleep_time = 5s
# Virtual
virtual_mailbox_domains = /etc/postfix/maps/vdomains
virtual_mailbox_base = /var/mail/vhosts
virtual_minimum_uid = 100
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
virtual_mailbox_maps = hash:/etc/postfix/maps/vmailbox
virtual_alias_maps = hash:/etc/postfix/maps/valiases
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
# SASL support
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtp_sasl_auth_enable = no
# tls
smtpd_tls_auth_only = yes
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/pki/tls/private/invalid.key
smtpd_tls_cert_file = /etc/pki/tls/certs/invalid.crt
smtpd_tls_CAfile = /etc/pki/CA/sub.class2.server.ca.crt
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
# PARAMETERS THAT DON'T SEEM TO FIT ELSE WARE
biff=no
unknown_address_reject_code = 554
unknown_hostname_reject_code = 554
unknown_client_reject_code = 554
unknown_local_recipient_reject_code = 554
unverified_sender_reject_code = 550
# JUNK MAIL CONTROLS
smtpd_helo_required = yes
disable_vrfy_command = yes
strict_rfc821_envelopes = yes
allow_untrusted_routing = no
smtpd_etrn_restriction = reject
message_size_limit = 32768000
bounce_size_limit = 65536
header_size_limit = 32768
delay_warning_time = 12
smtpd_delay_reject = no
header_checks = regexp:/etc/postfix/maps/header_checks
body_checks = regexp:/etc/postfix/maps/body_checks
content_filter = amavisfeed:[127.0.0.1]:10024
smtpd_client_restrictions = permit_mynetworks,
check_client_access hash:/etc/postfix/maps/client_access,
reject_rbl_client bl.spamcop.net,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client list.dsbl.org,
reject_unknown_client_hostname, reject_invalid_hostname, permit
smtpd_helo_restrictions = permit_mynetworks,
check_helo_access pcre:/etc/postfix/maps/helo_checks,
check_helo_access pcre:/etc/postfix/maps/helo_access,
reject_unauth_pipelining, reject_non_fqdn_helo_hostname,
reject_unknown_helo_hostname, reject_invalid_helo_hostname, permit
smtpd_sender_restrictions = permit_mynetworks, reject_non_fqdn_sender,
reject_unknown_sender_domain, permit
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_multi_recipient_bounce,
reject_unauth_destination, reject_non_fqdn_recipient,
reject_unknown_recipient_domain, check_policy_service
unix:postgrey/socket, permit
smtp_data_restrictions = reject_multi_recipient_bounce,
reject_unauth_pipelining, permit
== Master.cf ==
smtp inet n - n - - smtpd
-o cleanup_service_name=pre-cleanup
pickup fifo n - n 60 1 pickup
-o cleanup_service_name=pre-cleanup
submission inet n - n - - smtpd
-o cleanup_service_name=pre-cleanup
[[ snip ]]
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f
${sender} -d ${us...@${nexthop} -m ${extension}
amavisfeed unix - - n - 4 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20
-o smtp_bind_address=127.0.0.1
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o smtp_restriction_classes=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o local_header_rewrite_clients=
-o local_recipient_maps=
-o
receive_override_options=no_header_body_checks,no_unknown_recipient_checks
-o relay_recipient_maps=
pre-cleanup unix n - n - 0 cleanup
-o virtual_alias_maps=
cleanup unix n - n - 0 cleanup
-o mime_header_checks=
-o nested_header_checks=
-o header_checks=
-o body_checks=
-o always_bcc=archi...@invald.invalid
