On Wed, Mar 21, 2012 at 11:31:19AM -0700, Mark S wrote: > there is one comma missing after reject_rbl_client bl.spamcop.net, > that's fixed of course.
Commas are irrelevant, just another of several forms of whitespace. "Postfix main.cf file format" is at the very top of this very long manual: http://www.postfix.org/postconf.5.html > I am totally new to the mail server business. I read a lot about > Postfix and finally succeeded in setting up a working installation > on my GNU/Linux VPS. So far mail delivery works fine, and even > most Spam is filtered. Most? Looks like all, from what you showed us. > Nontheless I would like to have an expert > (or two ;) to have a look at my configuration. I am confident that > I did everything right, but in the end I am not sure and I do not > want my VPS end up as an open relay. Your fear is misplaced. You cannot be an open relay easily. > Long story short, heres my main.cf: Preferred is "postconf -n" as per the list welcome message and the posting guidelines here: http://www.postfix.org/DEBUG_README.html#mail It also helps if you describe in general terms what it is that you want to accomplish. I have answered as if you want to run a general purpose MTA for both submission and receipt of Internet mail. > disable_vrfy_command = yes > > myorigin = mysubdomain.mydomain.com You should not use real Internet domain names as examples. Example.com and example.* in all gTLDs and many ccTLDs are set aside for such use. > mydomain = mysubdomain.mydomain.com > mydestination = mysubdomain.mydomain.com, mydomain.com, > localhost.mydomain.com, localhost > mynetworks = 127.0.0.1/32 [::1]/128 > virtual_alias_maps = hash:/etc/postfix/my-valiases > alias_maps = hash:/etc/aliases > > home_mailbox = Maildir/ > mailbox_size_limit = 0 > biff = no > always_add_missing_headers = yes > > milter_default_action = accept > milter_protocol = 2 > smtpd_milters = inet:localhost:8891 > non_smtpd_milters = inet:localhost:8891 > > smtpd_sender_restrictions = > permit_mynetworks, > reject This means that for every MAIL FROM: command, these restrictions are applied. This further means that you will permit any clients who are in $mynetworks (127.0.0.1 or ::1) to send, and all other mail is rejected. This is not suitable for an Internet MX host. You will get no spam, nor any non-spam, unless sent from your own server host. > smtpd_recipient_restrictions = > permit_mynetworks, > reject_unauth_destination, > reject_unknown_sender_domain, > reject_unknown_client_hostname, This is not safe for general usage. It's very aggressive and would block quite a lot of non-spam mail. That is, if you had not already rejected it all in your smtpd_sender_restrictions. > reject_rbl_client zen.spamhaus.org, > reject_rbl_client bl.spamcop.net Likewise. Spamcop works best in a scoring system such as postscreen(8) or various policy servers. > check_policy_service inet:127.0.0.1:10023 > > > I wanted to keep it as simple as possible, so I decided to ditch > the numerous options that can be used for spam detection based on > SMTP protocol quirks (EHLO etc.) I think those spam sender will get > filtered lateron by postgray and zen.spamhaus.org anyway. (If there > is something I can do better in this regard, just say so!) I don't bother with greylisting for many years. I think it is more pain than it is worth. > I ssh to my server and use sendmail to send mails, that's why I set > up that odd smtpd_sender_restrictions. smtpd_sender_restrictions is > necessary, because otherwise I would end up as an open relay, > right? Where did you see this advice? No, that is entirely wrong. Relaying is controlled by smtpd_recipient_restrictions. http://www.postfix.org/SMTPD_ACCESS_README.html -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
