Darren Pilgrim a écrit :
> King Spook wrote:
>> I'm getting hit pretty hard with spam, and was hoping to reduce it a
>> bit by adding the following smtpd restrictions:
>>
>> smtpd_helo_restrictions = reject_invalid_helo_hostname,
>> reject_non_fqdn_helo_hostname
>> smtpd_sender_restrictions = reject_non_fdqn_sender
>>
>> Is that safe to do?
>
> Yes! Depending on the day, anywhere from a third to half of messages
> rejected in-session by my servers are due to those two restrictions
> alone. In two years, I've yet to see a false positive. Just don't use
> reject_unknown_helo_hostname (way too many false positives).
>
> Caveat: Many MUAs use non-FQDN hostnames or worse. You get around this
> problem by putting them in smtpd_recipient_restrictions, after
> permit_mynetworks and permit_sasl_authenticated:
>
> smtpd_recipient_restrictions =
> permit_mynetworks,
> permit_sasl_authenticated,
> reject_unauth_destination,
> reject_invalid_helo_hostname,
> reject_non_fqdn_helo_hostname,
> reject_non_fdqn_sender
> reject_unlisted_sender,
> reject_unlisted_recipient,
>
also consider adding
reject_rbl_client zen.spamhaus.org
check spamhaus site for more infos (policy, usage, ...).
> You should almost always keep all your restrictions in
> smtpd_recipient_restrictions. It avoids evaluation-order headaches.
