On 11/13/2010 11:01 AM, John Hinton wrote:
OK, on a CentOS 5.X server with Amavisd-new and Postfix.
I think I still need some suggestions for tuning. I notice in my logs,
that dictionary attacks are normally being rejected by RBL, mainly
Spamhaus instead of failing due to unknown user. Is my thinking
correct in that doing unknown user rejects would be less server
intensive than RBL checks? And, if these dictionary attacks are
getting RBL rejects, could they possibly think that it is a good email
address and be saving them to use on another network... which would
just add to the junk coming in over time?
OK, here's my conf and I certainly welcome any tips that anyone would
like to share. I am still very much green with Postfix, but I have
picked up a lot reading this list over the last few days.
The conf output:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = amavisd-new:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 20480000
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = orion.ew3d.com
myhostname = orion.ew3d.com
mynetworks = 64.203.174.0/24, 127.0.0.0/8
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
rbl_reply_maps = hash:/etc/postfix/dnsbl-reply-map
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
relay_domains =
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_client_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination,
reject_unauth_pipelining, reject_rbl_client sbl.dnsbl,
reject_rbl_client xbl.dnsbl, reject_rbl_client
cbl.abuseat.org, reject_rbl_client dnsbl.ahbl.org,
reject_rbl_client dnsbl.sorbs.net, reject_rbl_client
hostkarma.junkemailfilter.com=127.0.0.2, reject_rhsbl_client
rhsbl.sorbs.net, permit
smtpd_recipient_restrictions =
permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_cert_file = /etc/pki/tls/certs/orion.ew3d.com.cert
smtpd_tls_key_file = /etc/pki/tls/private/orion.ew3d.com.key
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
smtpd_tls_session_cache_database =
btree:/var/spool/postfix/smtpd_tls_cache
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual
Thanks!
John Hinton
Duh, I should mention that this mailserver handles virtual domains in a
hosting environment.
I'm a bit confused about the difference between
smtpd_recipient_restrictions and smtpd_client_restrictions and wondering
if I need to move smtpd_recipient_restrictions above
smtpd_client_restrictions? So, I'm reading the man pages and trying to
let this stuff emulsify into my brain. :)
A side note: This amavisd-new/Postfix/Dovecote installation has reduced
server loads to about 1/5th of what I had with Sendmail/Postfix running
nearly the same checks on email. That is obviously a good thing! Also, I
very much like being able to avoid RBL checks on outbound email. Seems
we do wind up with clients being placed on dirty networks with some
frequency... And, as our client base is controlled and are not spammer,
avoiding all spam checks on outbound is awesome. I used milters in
sendmail in order to do rejects and those checked all in and all out.
John Hinton
--
John Hinton
877-777-1407 ext 502
http://www.ew3d.com
Comprehensive Online Solutions
