On 4/16/2012 4:33 AM, Stephane Wirtel wrote: > Dear Postfix Jedi, > > I need your help to secure a new postfix server against the SPAM flooding. > > Currently I have an old postfix based on an old debian server and since > some days, my server is subject to the SPAM flooding (+- 50k mails/hours).
How many of these 50K are entering the queue? > So, I have decided to reconfigure a new server with an updated > distribution, because the old distribution is not supported by debian (too > old). Using Debian 6.0? (Squeeze) > For this new server, I think to use > 1. SASL (authentication) > 2. TLS for the SMTP server. > 3. use the smtpd_client_restrictions = permit_sasl_authenticated, > permit_mynetwork smtpd_RECIPIENT_restrictions - not 'client' > 4. I use pgsql server for the domains and the mailboxes. > 5. postgrey and some rbl servers Don't use postgrey. Install Postfix 2.9.1 and configure postscreen: http://www.postfix.org/POSTSCREEN_README.html If using Debian 6 add the backports archive to /etc/apt/sources.list: deb http://backports.debian.org/debian-backports squeeze-backports main $ aptitude -t squeeze-backports install postfix > I have some questions, > 1. is it enough ? (I think no, but if you have advice, I'm very interested) postscreen will kill the bot traffic efficiently. With 50K connections/min you do not want to use postgrey. Install a caching DNS resolver to minimize latency. For Debian: $ aptitude install pdns-recursor It will work out of the box but you may want to make some adjustments to settings in /etc/powerdns/recursor.conf > 2. do you know some "secure" and "efficient" rbl servers ? Spamhaus allows up to 300K queries/day: http://www.spamhaus.org/organization/dnsblusage/ BRBL is free but requires registration, no query limit: http://www.barracudacentral.org/account/register Passive Spam Block List, no query limit: http://psbl.org/howto/ Pay DNSBL targeting snowshoe spam, very effective, reasonable cost, requires RBLDNSD or local DNS server (not just a resolver): http://dnsbl.invaluement.com/ivmsip/ All of these can be safely used for outright rejection. With Postscreen you can do so or you can configure a basic scoring system. > 3. Do I have to use SPF in my ns ? Not required. Optional. It's so easy to add the TXT record there's no reason not to. Just make sure you get it right. > Thank you for your advice. You're welcome. Good luck. -- Stan
