Le 02/02/2011 19:28, Steve Jenkins a écrit : > After watching the recent thread about filtering restrictions, it's > got me curious as to whether mine are optimal. I've recently added > support for backscatterer checking in my restrictions, and I moved > Stan's fqrdns.pcre check higher in my list per his suggestion in an > earlier thread. Mine now look like: > > smtpd_helo_required = yes > > disable_vrfy_command = yes > > smtpd_recipient_restrictions = > permit_sasl_authenticated, > permit_mynetworks, > reject_unauth_destination, > check_client_access pcre:/etc/postfix/fqrdns.pcre, > reject_unknown_reverse_client_hostname, > warn_if_reject reject_non_fqdn_helo_hostname, > warn_if_reject reject_invalid_helo_hostname, > warn_if_reject reject_unknown_helo_hostname,
reject_unknown_helo_hostname implies a dns query. do you really want it here? (do you need it at all!). also, be careful with warn_if_reject. postfix caches the results of checks. so if you use say reject_invalid_helo_hostname later (for example as the result of one of your check_*_acces), then it will only warn. > reject_unauth_pipelining, > reject_non_fqdn_sender, > reject_unknown_sender_domain, > reject_non_fqdn_recipient, I would swap the two lines above. reject_unknown_* queries DNS and is thus more expensive than reject_non_fqdn_*. > reject_unknown_recipient_domain, at this stage (after reject_unauth_destination), this can only catch your own domains. that is: it will reject mail if _your_ DNS gets borked! > check_helo_access hash:/etc/postfix/helo_access, > check_sender_access hash:/etc/postfix/check_backscatterer, > reject_rbl_client b.barracudacentral.org, > reject_rbl_client zen.spamhaus.org, I would swap spamhaus and barracuda. the latter hasn't (yet?) reached the reputation of spamhaus. so when trying to analyse/look for false positives, putting spamhaus first will save some effort (of course, this is only true if _you_ think spamhaus is safer). > reject_rbl_client psbl.surriel.com, > reject_rhsbl_client dbl.spamhaus.org, > reject_rhsbl_sender dbl.spamhaus.org, > reject_rhsbl_helo dbl.spamhaus.org, > permit > > Do I have these listed in an optimal order (from least to most > "expensive")? Any other suggestions? > > The check_backscatterer file setup is as suggested on > http://www.backscatterer.org/?target=usage, with the exception of > "hash" instead of "dbm." > > FYI - Using Postfix 2.6.5 on this box, but looking to use the same > restrictions on two of my 2.8.0 boxes. > > Thanks, > > SteveJ
