On Wed, Mar 21, 2012 at 12:31:23PM -0700, Mark S wrote: > > > smtpd_recipient_restrictions = > > > permit_mynetworks, > > > reject_unauth_destination, > > > reject_unknown_sender_domain, > > > reject_unknown_client_hostname, > > > > This is not safe for general usage. It's very aggressive and would > > block quite a lot of non-spam mail. That is, if you had not already > > rejected it all in your smtpd_sender_restrictions. > > replaced reject_unknown_client_hostname with > reject_unknown_reverse_client_hostname. Any better? (Lots of > tutorials seem to advice this specific configuration, and I have > not had any problems so far...)
Oh yes. This is pretty much the standard in recent years. If you're reading the list you might have noticed from yesterday that hotmail might have problems with this restriction, but perhaps in due time they will fix that. (Or, perhaps not. They might be using their hotmail users as pawns in their efforts to show how bad free-software-based mail servers are. Stranger tactics have been seen from Redmond.) My solution to the hotmail NXDOMAIN problem is permit_dnswl_client, a feature which was added in Postfix 2.8. > > > reject_rbl_client zen.spamhaus.org, > > > reject_rbl_client bl.spamcop.net > > > > Likewise. Spamcop works best in a scoring system such as > > postscreen(8) or various policy servers. > > I will check postscreen ASAP. It was added in Postfix 2.8 also. http://www.postfix.org/POSTSCREEN_README.html snip > Here's my new config: > > alias_maps = hash:/etc/aliases > always_add_missing_headers = yes > biff = no > config_directory = /etc/postfix > disable_vrfy_command = yes > home_mailbox = Maildir/ > mailbox_size_limit = 0 > milter_default_action = accept > milter_protocol = 2 > mydestination = subexample.example.com, example.com, > localhost.example.com, localhost > mydomain = subexample.example.com > mynetworks = 127.0.0.1/32 [::1]/128 > myorigin = subexample.example.com > non_smtpd_milters = inet:localhost:8891 > smtpd_milters = inet:localhost:8891 > smtpd_recipient_restrictions = permit_mynetworks, > reject_unauth_destination, reject_unknown_sender_domain, > reject_unknown_reverse_client_hostname, reject_rbl_client > zen.spamhaus.org, reject_rbl_client bl.spamcop.net, > check_policy_service inet:127.0.0.1:10023, permit > virtual_alias_maps = hash:/etc/postfix/my-valiases Again, I think you'll have problems with Spamcop there. I use and recommend the Barracuda BRBL <http://barracudacentral.org/rbl>, which I find safe and effective. Consider also RHSBL lookups: reject_rhsbl_client dbl.spamhaus.org reject_rhsbl_sender dbl.spamhaus.org reject_rhsbl_helo dbl.spamhaus.org These check the client FCrDNS name, the sender domain, and the HELO/EHLO name against a list of known spammer domains. With any DNSBL, be familiar with their policies before trusting them to block mail for you. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
