On 10/20/2010 02:52 AM, Steve Jenkins wrote:
I will gladly solve the RIGHT problem. The fact that I'm here looking for
guidance should demonstrate that I'm looking to do exactly that.
Unfortunately, I can't simply put "DO NOT forward SPAM" in my main.cf and
have it work. ;) After reading through all the docs and various blog and
forum posts, and making my best efforts at incorporating what I've learned
into my configuration, it seems I'm still causing backscatter.
Don't accept mail you cannot deliver. Really, that's Numero Uno.
Proper sender and recipient verification - insofar as is feasible for
your site - goes a long way to prevent that from happening.
That's exactly why I'm posting on Postfix-users - because I need a little more
guidance than just "RTFM." :) So if anyone can help me with some SPECIFIC
steps to take, I'd be very appreciative.
I posted it initially, but here again is my postconf -n output:
<snippety>
smtpd_recipient_restrictions = permit_sasl_authenticated,
reject_unauth_destination, reject_unknown_recipient_domain,
reject_unknown_sender_domain, reject_non_fqdn_recipient,
reject_non_fqdn_sender, reject_invalid_hostname, permit_mynetworks, permit
You're missing some of the better spam prevention methods here, such as
decent HELO checks, and an RBL or two.
I'd suggest at least adding reject_unknown_reverse_client_hostname in
there, as well as (testing out)
reject_[invalid|unknown|non_fqdn]_helo_hostname.
My personal server uses:
<http://www.postfix.org/SASL_README.html#client_sasl>smtpd_recipient_restrictions
= permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_unknown_reverse_client_hostname,
warn_if_reject
reject_non_fqdn_helo_hostname,
warn_if_reject
reject_invalid_helo_hostname,
warn_if_reject
reject_unknown_helo_hostname,
reject_unauth_pipelining,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
check_helo_access hash:/etc/postfix/helo_access,
permit
helo_access contains permutations of my own IP and hostname(s), which I
REJECT.
My zen RBL check is moved to postscreen, since I run a pre-2.8 build.
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks,
reject_unknown_sender_domain
Instead of specifying each restriction set by itself, put them all
together under recipient_restrictions so you can follow along what happens.
It will also log more information.
virtual_alias_domains = familyname.com
virtual_alias_maps = hash:/etc/postfix/virtual
It would be mildly interesting to see what is in those files, since a
virtual_alias_domain is potentially a wildcard recipient domain.
-----Original Message-----
From: Wietse Venema [mailto:wie...@porcupine.org]
Sent: Tuesday, October 19, 2010 5:16 AM
To: Steve Jenkins
Cc: Postfix users
Subject: Re: Fighting Backscatter
Steve Jenkins:
Oh, and please don't top-post.
--
J.
