Am 20.01.2012 11:55, schrieb Charles Marcus:
>> why are you not only opening from the allowed addresses in >> the packet-filter (iptables)? so you have no log-entries >> from spammers all over the world and any protection should >> generally happen as wide as possible before the service > > I agree wholeheartedly and I do this as well, but I also believe in > multi-layered > security, so I would *definitely* also lock it down in postfix as above as > well... i normally too if you have no MX records to your machine because they are all to the spamfirewall you do not get much attempts to deliver mail directly to it which are bruned down with greylisting/RBL we have our own spamfirewall in front and only one domain points with MX directly to the mailserrver, well i see no other delivery attempts and they are mostly killed beause EHLO checks i would put the spamfirewalls in "mynetworks", lock down the amchine with iptables and for the case somethings goes wrong with iptables the settings below eating spam smtpd_helo_restrictions = permit_mynetworks permit_sasl_authenticated reject_non_fqdn_helo_hostname reject_invalid_helo_hostname reject_unknown_helo_hostname smtpd_recipient_restrictions = permit_mynetworks ....... YOUR-SETTINGS ............ reject_invalid_hostname reject_unknown_reverse_client_hostname reject_unauth_pipelining reject_rbl_client dnsbl-1.uceprotect.net check_policy_service unix:/var/spool/postfix/postgrey/socket
signature.asc
Description: OpenPGP digital signature
