Steffan A. Cline put forth on 6/22/2010 8:01 PM:
> It's a long post. Sorry.
Yeah, it was long, and probably overly ambitious for a single thread topic.
Instead of addressing your questions about individual main.cf parameter
settings and policy services, I'm going to make a few suggestions which should
give you a good start on rejecting most spam.
1. Keep your configuration as streamlined and simple as possible
2. Put all your restrictions under smtpd_recipient_restrictions
3. Use the regexp table I'm providing at the link far below
4. Use dnsbl queries selectively (why they're at the bottom)
5. Use only selective greylisting with postgrey (why it's last)
Here's a sample smtpd_recipient_restrictions section you could start with,
good with IIRC Postfix 2.3 and later. But first:
smtpd_delay_reject = yes (unneeded as it's the default behavior)
smtpd_helo_required = yes (you need this)
smtpd_recipient_restrictions =
permit_mynetworks
reject_unauth_destination
permit_sasl_authenticated
reject_unknown_reverse_client_hostname
reject_non_fqdn_sender
reject_non_fqdn_helo_hostname
reject_invalid_helo_hostname
reject_unknown_helo_hostname
reject_unlisted_recipient
check_client_access regexp:/etc/postfix/fqrdns.regexp
reject_rbl_client zen.spamhaus.org
reject_rhsbl_client dbl.spamhaus.org
reject_rhsbl_sender dbl.spamhaus.org
reject_rhsbl_helo dbl.spamhaus.org
check_policy_service inet:127.0.0.1:60000
This should be all you need for now. You will improve this configuration over
time.
It appears in your example that you're querying postgrey twice, once via UNIX
socket and once via inet. Pick one method, don't use both. I use the inet
method (last line in main.cf above). You will need to configure that one
method per the postgrey instructions.
The Postgrey daemon config file on Debian is at the following location. On
CentOS it may be located in a different directory. I don't use any Red Hat
products so I'm unsure. You'll have to find it.
cat /etc/default/postgrey
# postgrey startup options, created for Debian
# (c)2004 Adrian von Bidder <avbid...@fortytwo.ch>
# Distribute and/or modify at will.
# you may want to set
# --delay=N how long to greylist, seconds (default: 300)
# --max-age=N delete old entries after N days (default: 35)
# see also the postgrey(8) manpage
POSTGREY_OPTS="--inet=127.0.0.1:60000"
# the --greylist-text commandline argument can not be easily passed through
# POSTGREY_OPTS when it contains spaces. So, insert your text here:
#POSTGREY_TEXT="Your customized rejection message here"
If you run into problems, "man 8 postgrey"
SPF and DKIM checks are pretty much useless for killing spam. You will
already kill bot spam with other methods. Many snowshoe spammers are keen on
using SPF records and to a lesser extent DKIM sigs. There really aren't any
other large classes of spammers than bot and snowshoe, so again, trying to
kill spam with SPF and DKIM checks is mostly an exercise in futility, and it
adds unneeded complexity to your configuration. This has been discussed ad
naseam on many spam fighting lists over the years.
Regarding helo checks, it seems you're merely wanting to save effort expended
on a previous mail server platform on which they worked well. Wrong logic.
Helo checks won't kill much more spam than other checks, and the helo checks
above are typically sufficient without getting into table checks against them.
Don't worry about dragging the old helo stuff over to Postfix, as it will be
wasted effort for the most part. Maybe keep them around for a rainy day down
the road and convert them over _IF_ you find you _need_ them.
Again, think "streamline". Try to keep the configuration _simple_. The more
complicated you make main.cf now the harder to troubleshoot is becomes later.
Notice how short and simple my restriction list is? And don't think for a
minute I created that overnight. I've been using Postfix since 2005 and have
been refining it for 5 years. It became really streamlines after I took the
advice of members of this list. Noel, mouss, and many others have helped me
tremendously in streamlining my Postfix config, along with the excellent
documentation, which can at times be a bit intimidating to the novice.
This magic regexp table will kill a lot of bot and other spam coming from
various ISPs' mostly dynamic space and will do it quicker than a dnsbl lookup.
Another advantage is that it cuts down on your lookup queries, so if you're
on that 300k Spamhaus borderline limit between paid and free service, this
should drop those queries to the point you could likely use the free service.
Even if you're not borderline, it's always better to kill spam with local
filters before querying any outside service, dnsbl or otherwise.
Download this http://www.hardwarefreak.com/fqrdns.regexp and save it in
/etc/postfix/fqrdns.regexp as root. Make sure the permissions are the same as
your other lookup tables.
Hope this gives you a good start with Postfix spam fighting. Please continue
to ask questions if you need more pointers. Also, make use of the extensive
documentation and how to's on the Postfix website:
http://www.postfix.org/documentation.html
http://www.postfix.org/docs.html
--
Stan
