On 5/26/2010 3:12 PM, brian wrote:
On 10-05-26 03:55 PM, Noel Jones wrote:
Some random suggestions...
Use a bogus MX record for the old domain if that domain has no valid
mail recipients. Of course, some bots will connect to your A record
anyway...
OK, I like the sound of that. Per your other email, I think I did, a
long time ago, learn about A being used in the absence of an MX. That
seems familiar now. Thanks for the tip.
You can use "reject_unlisted_recipient" early in your
smtpd_recipient_restrictions to dump connections to bad users early. A
later RBL check will only apply to valid recipients.
Set smtpd_hard_error_limit to a low number, such as 2, to disconnect
clients after just a few errors.
Set smtpd_error_sleep_time to 0 to get rid of bad clients without delay.
I'll give all that a try. Does this order seem alright?
smtpd_recipient_restrictions =
permit_mynetworks,
reject_unlisted_recipient,
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_recipient,
reject_non_fqdn_sender,
reject_unauth_destination,
reject_unknown_recipient_domain,
reject_unauth_pipelining
I would suggest:
smtpd_recipient_restrictions =
permit_mynetworks
reject_non_fqdn_recipient
reject_unauth_destination
reject_unlisted_recipient
## next line if you have postfix 2.3 or newer
reject_unknown_reverse_client_hostname
reject_non_fqdn_sender
reject_non_fqdn_hostname
reject_unknown_sender_domain
reject_rbl_client zen.spamhaus.org
recipients with unknown/invalid domains won't make it past
reject_unauth_destination, so drop
reject_unknown_recipient_domain. With postfix < 2.6,
reject_unauth_pipelining belongs in smtpd_data_restrictions.
smtpd_data_restrictions =
reject_unauth_pipelining
I'll bet the postfix 2.7 "postscreen" feature will get rid of 1/2 or
more of the bots before they every talk to you.
Postfix 2.7 allows you to specify 521 for the various *_reject_code
parameters to signal a disconnect.
I've just been having a look at that. It does seem to be something very
useful in this situation. But, maybe the bogus MX will solve my problems.
Sorry, I'm reminded that postscreen is only available in the
2.8 snapshots at this time. The snapshots are "production
quality" so feel confident to use them.
Increase the max number of smtpd listeners in master.cf to the highest
number your memory will allow.
What's the best way of determining that?
Use ps or top to see how much RAM each smtpd uses, guesstimate
from there. If system swaps, reduce.
Postscreen will help with this, since a single postscreen
process can handle thousands of connections.
-- Noel Jones
