THANK YOU Jeroen. J I really appreciate you taking the time to help me with some specific steps I can try.
Here's the updated output of my postconf -n: alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 home_mailbox = Maildir/ html_directory = no mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man milter_default_action = accept milter_protocol = 2 mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, mail.$mydomain, www.$mydomain mynetworks = 127.0.0.0/8 myorigin = $mydomain newaliases_path = /usr/bin/newaliases.postfix non_smtpd_milters = inet:localhost:20209 sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_tls_note_starttls_offer = yes smtp_use_tls = yes smtpd_data_restrictions = reject_unauth_pipelining, permit smtpd_milters = inet:localhost:20209 smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unknown_reverse_client_hostname, warn_if_reject reject_non_fqdn_helo_hostname, warn_if_reject reject_invalid_helo_hostname, warn_if_reject reject_unknown_helo_hostname, reject_unauth_pipelining, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_invalid_hostname, permit smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem smtpd_tls_auth_only = no smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes tls_random_source = dev:/dev/urandom unknown_local_recipient_reject_code = 550 virtual_alias_domains = familyname.com virtual_alias_maps = hash:/etc/postfix/virtual The /etc/postfix/virtual is set up as follows. Every line in there is either a local POP account or the destination forwarding address. I don't use any catch-alls, and prefer that my server reject unknown local recipients (or in this case, I should probably say "local"). Familyname.com #Family Domain for Mail st...@familyname.com steve sis...@familyname.com sister a...@familyname.com auntsaddr...@cox.net d...@familyname.com dadsaddr...@gmail.com Like you, I'm also running a pre-2.8 build (2.6.5). I hadn't heard of postscreen until just now, but I'll check it out. Would you mind sharing (anonymized if you wish) some examples of permutations of your IP and hostname(s) to reject from your helo_access file? What types of permutations are classically used by spammers that I can safely block without rejecting legitimate mail? Thanks again, Steve From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Jeroen Geilman Sent: Tuesday, October 19, 2010 7:10 PM To: postfix-users@postfix.org Subject: Re: Fighting Backscatter On 10/20/2010 02:52 AM, Steve Jenkins wrote: I will gladly solve the RIGHT problem. The fact that I'm here looking for guidance should demonstrate that I'm looking to do exactly that. Unfortunately, I can't simply put "DO NOT forward SPAM" in my main.cf and have it work. ;) After reading through all the docs and various blog and forum posts, and making my best efforts at incorporating what I've learned into my configuration, it seems I'm still causing backscatter. Don't accept mail you cannot deliver. Really, that's Numero Uno. Proper sender and recipient verification - insofar as is feasible for your site - goes a long way to prevent that from happening. That's exactly why I'm posting on Postfix-users - because I need a little more guidance than just "RTFM." :) So if anyone can help me with some SPECIFIC steps to take, I'd be very appreciative. I posted it initially, but here again is my postconf -n output: <snippety> smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unauth_destination, reject_unknown_recipient_domain, reject_unknown_sender_domain, reject_non_fqdn_recipient, reject_non_fqdn_sender, reject_invalid_hostname, permit_mynetworks, permit You're missing some of the better spam prevention methods here, such as decent HELO checks, and an RBL or two. I'd suggest at least adding reject_unknown_reverse_client_hostname in there, as well as (testing out) reject_[invalid|unknown|non_fqdn]_helo_hostname. My personal server uses: smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unknown_reverse_client_hostname, warn_if_reject reject_non_fqdn_helo_hostname, warn_if_reject reject_invalid_helo_hostname, warn_if_reject reject_unknown_helo_hostname, reject_unauth_pipelining, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_non_fqdn_recipient, reject_unknown_recipient_domain, check_helo_access hash:/etc/postfix/helo_access, permit helo_access contains permutations of my own IP and hostname(s), which I REJECT. My zen RBL check is moved to postscreen, since I run a pre-2.8 build. smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain Instead of specifying each restriction set by itself, put them all together under recipient_restrictions so you can follow along what happens. It will also log more information. virtual_alias_domains = familyname.com virtual_alias_maps = hash:/etc/postfix/virtual It would be mildly interesting to see what is in those files, since a virtual_alias_domain is potentially a wildcard recipient domain. -----Original Message----- From: Wietse Venema [mailto:wie...@porcupine.org] Sent: Tuesday, October 19, 2010 5:16 AM To: Steve Jenkins Cc: Postfix users Subject: Re: Fighting Backscatter Steve Jenkins: Oh, and please don't top-post. -- J.
