Hi Wietse,
Thanks again for your nice/quick reply...
2012/1/10 Wietse Venema <wie...@porcupine.org>
> Michael Maymann:
> [ Charset ISO-8859-1 unsupported, converting... ]
> > Hi Wietse,
> >
> > thanks for your kind reply...:-) !
> > You're right...
> >
> > - We currently have a setup where all mail from R&D internal->external is
> > send to my mailrelay in a specific site, as our_isp_relay only allows us
> to
> > send from there to their mailrelay - no restrictions (this is not our
> > primary mail).
> > - Our_isp_relay has already blacklisted my mailrelay twice, caused by
> > reputation based filtering - no spamming occurred though (all known
> domains
> > at-least...), but the number of mails was rather high...
>
> You need to rate-limit the clients. Use policyd or postfwd or
> something with similar capabilities.
>
All our IP's in "mynetworks" should be allowed to send mails without
filtering at this stage. But this looks like a good thing to implement
later on though... (at this stage, I would like to make a quick fix to the
very open solution we have now)...:-)
>
> > - We are about to send monitoring alert through my mailrelay pretty soon,
> > and therefore I would like to avoid spam filtering if possible - but saw
> > domain-whitelisting as a solution to limit damages to a minimum if a host
> > goes hostile...
>
> Rate limit the clients, and you won't have to keep updating whitelists.
>
It is only to our own domain and a handfull of external vendors (systems
sending support-alerts to vendors directly). This will not be a problem in
my setup.
>
> If you have PC-class systems on the network, having anti-spam/virus on the
> mail server would be a good idea because some box will get infected.
>
PC-vlans are not in my "mynetworks", so DC vlans and some specific
LAB-equipment IP's are allowed to send...
I would really like to avoid anti-spam/virus filtering (at-least in this
stage), as this can potentially filter my monitoring alerts, etc.
>
> > - Our Printers are also on the R&D network and they need scan->email
> > functionality, so I still need to allow printers to send to anyone.
>
> You need to exclude the printers from the rate limit.
>
This is my current configuration:
main.cf:
---
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
mail_owner = postfix
mydomain = <MYDOMAIN>
myorigin = $mydomain
inet_interfaces = all
mydestination = localhost, localhost.localdomain, $mydomain, dfm.test.com
local_recipient_maps = unix:passwd.byname $alias_maps
unknown_local_recipient_reject_code = 550
mynetworks = 127.0.0.0/8, <MYVLAN1>, <MYVLAN2>, etc
relay_domains = $mydestination
relayhost = [<MYISP>] # this will be commented out when we effectuate the
new config
# transport_maps = hash:/etc/postfix/transport # this will be commented in
when we effectuate the new config
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
xxgdb $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.3.3/samples
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
---
transport (everything will be commented in when we effectuate the new
config):
---
## Relay own mail to own server
#our_own_domain relay:<OUR_OFFICIAL_MAILSERVER>
## Relay only mail to known external vendors
#<MY_VENDOR1> relay:<OUR_ISP_MAILRELAY>
#<MY_VENDOR2> relay:<OUR_ISP_MAILRELAY>
#<MY_VENDOR3> relay:<OUR_ISP_MAILRELAY>
#<MY_VENDOR4> relay:<OUR_ISP_MAILRELAY>
#<MY_VENDOR5> relay:<OUR_ISP_MAILRELAY>
---
1. How can I exclude my printers from the "transport" whitelisting - can
you give example in configfile ?
2. How can I send bounced mails to bounce@our_own_domain.com - can you give
example in configfile ?
Thanks for your nice support - really appreciate it...:-) !
~maymann
> Wietse
> > - 99.96% of mail going through my mailrelay goes to our own official
> > mailboxes, so my thinking was to route all this directly to our official
> > mailserver and get my mailrelay whitelisted there (so no spamfiltering is
> > done on mails from this IP)...
> >
> > Thanks in advance :-) !
> > ~maymann
>
