On 11/13/2010 05:28 PM, John Hinton wrote:
On 11/13/2010 11:01 AM, John Hinton wrote:
OK, on a CentOS 5.X server with Amavisd-new and Postfix.
I think I still need some suggestions for tuning. I notice in my
logs, that dictionary attacks are normally being rejected by RBL,
mainly Spamhaus instead of failing due to unknown user. Is my
thinking correct in that doing unknown user rejects would be less
server intensive than RBL checks? And, if these dictionary attacks
are getting RBL rejects, could they possibly think that it is a good
email address and be saving them to use on another network... which
would just add to the junk coming in over time?
OK, here's my conf and I certainly welcome any tips that anyone would
like to share. I am still very much green with Postfix, but I have
picked up a lot reading this list over the last few days.
The conf output:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = amavisd-new:[127.0.0.1]:10024
If you want to avoid checking "trusted" users, don't use a global
content_filter.
Instead, set it on the internet-facing SMTP listener only, and disable
it for your submission port.
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 20480000
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = orion.ew3d.com
myhostname = orion.ew3d.com
mynetworks = 64.203.174.0/24, 127.0.0.0/8
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
rbl_reply_maps = hash:/etc/postfix/dnsbl-reply-map
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
relay_domains =
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_client_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination,
reject_unauth_pipelining, reject_rbl_client sbl.dnsbl,
reject_rbl_client xbl.dnsbl, reject_rbl_client
cbl.abuseat.org, reject_rbl_client dnsbl.ahbl.org,
reject_rbl_client dnsbl.sorbs.net, reject_rbl_client
hostkarma.junkemailfilter.com=127.0.0.2, reject_rhsbl_client
rhsbl.sorbs.net,
These are quite expensive; you may want to delay those to be the last
restrictions checked.
This cannot be done in client restrictions; use recipient restrictions
instead.
permit
smtpd_recipient_restrictions =
permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
You really want to add proper client, HELO and sender/recipient address
format checks here (reject_invalid_helo_hostname,
reject_unkown_helo_hostname, reject_unknown_reverse_client_hostname,
reject_non_fqdn_[sender|recipient], etc.)
Also add smtpd_helo_required = yes; it is disabled by default, and you
really need that.
They together stop more spam than RBLs do - and hitting them means your
RBLs will not need to be checked.
Thanks!
John Hinton
Duh, I should mention that this mailserver handles virtual domains in
a hosting environment.
I'm a bit confused about the difference between
smtpd_recipient_restrictions and smtpd_client_restrictions
smtpd_client_restrictions are applied in the context of the SMTP connect
phase.
smtpd_recipient_restrictions are applied in the context of the SMTP
session's individual RCPT TO commands.
and wondering if I need to move smtpd_recipient_restrictions above
smtpd_client_restrictions?
In the configuration file ? that has no meaning - the order of settings
is immaterial.
For most people, putting all restrictions in smtp_recipient_restrictions
is simpler and more manageable.
The default setting of smtpd_delay_reject = yes means that none of these
restrictions will cause a REJECT until the RCPT TO is received anyway.
So your client restrictions may cause a client IP to be rejected
outright, but postfix will only disconnect the client when the first
RCPT TO is received.
Putting all restrictions in smtp_recipient_restrictions means you get a
better idea of the sequence of checks.
However, there are plenty of special cases where separate restriction*
checks make sense, or are needed.
Remember that the behaviour will be very different depending on the
smtpd_delay_reject setting.
So, I'm reading the man pages and trying to let this stuff emulsify
into my brain. :)
A side note: This amavisd-new/Postfix/Dovecote installation has
reduced server loads to about 1/5th of what I had with
Sendmail/Postfix running nearly the same checks on email. That is
obviously a good thing! Also, I very much like being able to avoid RBL
checks on outbound email.
Restriction classes can help you here.
http://www.postfix.org/RESTRICTION_CLASS_README.html
Or you can explicitly whitelist certain clients.
Also, you want to run a local DNS cache; it's the single most
significant performance boost you can give a postfix system, and not
just for RBLs.
--
J.
