On 10/19/2010 11:35 PM, Stan Hoeppner wrote:
Jeroen Geilman put forth on 10/19/2010 8:09 PM:
You're missing some of the better spam prevention methods here, such as
decent HELO checks, and an RBL or two.
I'd suggest at least adding reject_unknown_reverse_client_hostname in
there, as well as (testing out)
reject_[invalid|unknown|non_fqdn]_helo_hostname.
This will probably be a big help to Steve.
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated,
reject_unauth_destination
...
check_client_access pcre:/etc/postfix/fqrdns.pcre
In your opinion, would check_reverse_client_hostname_access (Postfix
2.6+) work better here?
Many dynamic zombies don't always resolve forward.
...
reject_rbl_client zen.spamhaus.org
reject_rbl_client psbl.surriel.com
reject_rhsbl_client dbl.spamhaus.org
reject_rhsbl_sender dbl.spamhaus.org
reject_rhsbl_helo dbl.spamhaus.org
check_policy_service inet:127.0.0.1:60000
http://www.hardwarefreak.com/fqrdns.pcre
This pcre rdns checker kills tons of bot spam from consumer IPs that
should not be sending direct smtp mail. It picks up where the PBL
leaves off. Zero FP rate. As always, exclude it from your own
submission smtpd or it ighty well reject your own users.
The check_policy_service line is the postgrey daemon. Doesn't stop
alot, maybe 5-10 per day of 1000, but it's a needed safety net. Your
anti spam toolbox needs many tools to make all the tools effective as a
whole. Merely adding fqrdns.pcre has put a big smile on the faces of
quite a few OPs.
As always, do a "postfix reload" after making changes to main.cf.
