Hello,
I'm trying to tighten up my mail server. It's postfix 2.3.3 running
on CentOS 5.3. I've changed my restrictions below any comments do they look
good?
I've also got a question on greylisting. I'm using postgrey and have
a restriction for it. I want to allow all traffic from my secondary mx, and
selected domains my bank for instance to get through. Would that be the file
postgrey_whitelist_clients.local for the backup mx and banks and other
domains, and postgrey_whitelist_recipients for uusers I don't want to be
greylisted?
I'm also working with spamassassin through amavisd-new. The setup is
working but i think i can do better. There are various rules some in
/usr/share/spamassassin and after running sa-learn updates i believe in
/var/lib/spamassassin/3.0.xx. I'm wanting to increase certain scores and
alter others, but am not sure which file to alter.
These last two might be off topic responses private if it is felt
necessary.
Any suggestions appreciated.
Here's a postconf -n.
Thanks.
Dave.
address_verify_map = btree:/var/spool/postfix/verified_senders
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases, hash:/etc/mailman/aliases
biff = no
body_checks = regexp:/etc/postfix/body_checks
broken_sasl_auth_clients = yes
canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
disable_vrfy_command = yes
header_checks = regexp:/etc/postfix/header_checks
home_mailbox = Maildir/
html_directory = no
inet_interfaces = 127.0.0.1, xxx.xxx.xxx.xxx
invalid_hostname_reject_code = 554
local_recipient_maps =
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailbox_size_limit = 104857600
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 20971520
mime_header_checks = regexp:/etc/postfix/mime_header_checks
multi_recipient_bounce_reject_code = 554
mydestination = lists.$mydomain
mydomain = example.com
myhostname = mail.example.com
mynetworks = 127.0.0.0/8
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
non_fqdn_reject_code = 554
non_smtpd_milters = inet:localhost:20209
owner_request_special = no
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
recipient_delimiter = +
relay_domains_reject_code = 554
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
show_user_unknown_table_name = no
smtp_helo_timeout = 60s
smtp_tls_CAfile = /etc/postfix/ssl/ca-bundle.crt
smtp_tls_cert_file = /etc/postfix/ssl/smtp.crt
smtp_tls_key_file = /etc/postfix/ssl/smtp.key
smtp_tls_note_starttls_offer = yes
smtp_tls_session_cache_database = btree:/var/spool/postfix/smtp_tls_cache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_milters = inet:127.0.0.1:7357
smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks
reject_unauth_destination reject_non_fqdn_hostname reject_invalid_hostname
reject_non_fqdn_sender reject_non_fqdn_recipient
reject_unknown_sender_domain reject_unknown_recipient_domain
reject_unverified_recipient reject_multi_recipient_bounce
check_helo_access pcre:/etc/postfix/helo_checks.pcre check_helo_access
hash:/etc/postfix/helo_checks check_recipient_access
pcre:/etc/postfix/recipient_checks.pcre check_sender_access
hash:/etc/postfix/sender_checks, check_sender_mx_access
cidr:/etc/postfix/bogus_mx check_sender_access
hash:/etc/postfix/common_spam_senderdomain check_sender_access
regexp:/etc/postfix/common_spam_senderdomain_keywords
check_sender_access hash:/etc/postfix/freemail_access,
check_sender_access pcre:/etc/postfix/verizon_sav_sender.pcre,
check_sender_access hash:/etc/postfix/check_bounce_sender,
check_client_access hash:/etc/postfix/client_checks,
reject_rbl_client zen.spamhaus.org, reject_rbl_client black.uribl.com,
reject_rbl_client combined.rbl.msrbl.net, reject_rhsbl_sender
dsn.rfc-ignorant.org check_policy_service unix:private/spfpolicy
check_policy_service inet:127.0.0.1:10023
smtpd_restriction_classes = from_freemail_host, from_verizon_sav,
check_bounce_recipient
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/postfix/ssl/ca-bundle.crt
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/ssl/smtp.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtp.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache
smtpd_tls_session_cache_timeout = 3600s
strict_rfc821_envelopes = yes
tls_random_source = dev:/dev/urandom
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 550
unknown_relay_recipient_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_sender_reject_code = 554
virtual_alias_maps = hash:/etc/postfix/virtual_alias
virtual_gid_maps = static:5000
virtual_mailbox_base = /home/vmail
virtual_mailbox_domains = /etc/postfix/vhosts
virtual_mailbox_maps = hash:/etc/postfix/vmaps
virtual_minimum_uid = 1000
virtual_uid_maps = static:5000
