Hi, thank you so much for your valuable input!
> Commas are irrelevant, just another of several forms of whitespace. > "Postfix main.cf file format" is at the very top of this very long > manual: > > http://www.postfix.org/postconf.5.html thanks! > > I am totally new to the mail server business. I read a lot about > > Postfix and finally succeeded in setting up a working installation > > on my GNU/Linux VPS. So far mail delivery works fine, and even > > most Spam is filtered. > > Most? Looks like all, from what you showed us. I get about one Spam message a day, which is fine by me. (Did not have a smtpd_sender_restrictions set up, though) > > > Nontheless I would like to have an expert > > (or two ;) to have a look at my configuration. I am confident that > > I did everything right, but in the end I am not sure and I do not > > want my VPS end up as an open relay. > > Your fear is misplaced. You cannot be an open relay easily. > > Long story short, heres my main.cf: > > Preferred is "postconf -n" as per the list welcome message and the > posting guidelines here: > > http://www.postfix.org/DEBUG_README.html#mail > > It also helps if you describe in general terms what it is that you > want to accomplish. I have answered as if you want to run a general >purpose MTA for both submission and receipt of Internet mail. > > disable_vrfy_command = yes > > myorigin = mysubdomain.mydomain.com > > You should not use real Internet domain names as examples. > Example.com and example.* in all gTLDs and many ccTLDs are set aside > for such use. ok [...] > > smtpd_recipient_restrictions = > > permit_mynetworks, > > reject_unauth_destination, > > reject_unknown_sender_domain, > > reject_unknown_client_hostname, > > This is not safe for general usage. It's very aggressive and would > block quite a lot of non-spam mail. That is, if you had not already > rejected it all in your smtpd_sender_restrictions. replaced reject_unknown_client_hostname with reject_unknown_reverse_client_hostname. Any better? (Lots of tutorials seem to advice this specific configuration, and I have not had any problems so far...) > > reject_rbl_client zen.spamhaus.org, > > reject_rbl_client bl.spamcop.net > > Likewise. Spamcop works best in a scoring system such as > postscreen(8) or various policy servers. I will check postscreen ASAP. > > check_policy_service inet:127.0.0.1:10023 > > > > > > I wanted to keep it as simple as possible, so I decided to ditch > > the numerous options that can be used for spam detection based on > > SMTP protocol quirks (EHLO etc.) I think those spam sender will get > > filtered lateron by postgray and zen.spamhaus.org anyway. (If there > > is something I can do better in this regard, just say so!) > > I don't bother with greylisting for many years. I think it is more > pain than it is worth. ok. I will think about greylisting one more time. > > I ssh to my server and use sendmail to send mails, that's why I set > > up that odd smtpd_sender_restrictions. smtpd_sender_restrictions is > > necessary, because otherwise I would end up as an open relay, > > right? > > Where did you see this advice? No, that is entirely wrong. Relaying > is controlled by smtpd_recipient_restrictions. > > http://www.postfix.org/SMTPD_ACCESS_README.html I got it wrong, sorry. Here's my new config: alias_maps = hash:/etc/aliases always_add_missing_headers = yes biff = no config_directory = /etc/postfix disable_vrfy_command = yes home_mailbox = Maildir/ mailbox_size_limit = 0 milter_default_action = accept milter_protocol = 2 mydestination = subexample.example.com, example.com, localhost.example.com, localhost mydomain = subexample.example.com mynetworks = 127.0.0.1/32 [::1]/128 myorigin = subexample.example.com non_smtpd_milters = inet:localhost:8891 smtpd_milters = inet:localhost:8891 smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, reject_unknown_sender_domain, reject_unknown_reverse_client_hostname, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, check_policy_service inet:127.0.0.1:10023, permit virtual_alias_maps = hash:/etc/postfix/my-valiases Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
