Hi Stan, On 04/16/2012 01:27 PM, Stan Hoeppner wrote: > On 4/16/2012 4:33 AM, Stephane Wirtel wrote: >> Dear Postfix Jedi, >> >> I need your help to secure a new postfix server against the SPAM flooding. >> >> Currently I have an old postfix based on an old debian server and since >> some days, my server is subject to the SPAM flooding (+- 50k mails/hours). > > How many of these 50K are entering the queue? yes, in fact, all :( and now, I can't send an email to gmail or hotmail for my customers. > >> So, I have decided to reconfigure a new server with an updated >> distribution, because the old distribution is not supported by debian (too >> old). > > Using Debian 6.0? (Squeeze) No, in fact, I just installed a Ubuntu 11.10, but I can reinstall a Debian 6.0 with the backports, +- 15 min. > >> For this new server, I think to use >> 1. SASL (authentication) >> 2. TLS for the SMTP server. >> 3. use the smtpd_client_restrictions = permit_sasl_authenticated, >> permit_mynetwork > > smtpd_RECIPIENT_restrictions - not 'client' Why not the client ? but ok for the recipient.
> >> 4. I use pgsql server for the domains and the mailboxes. >> 5. postgrey and some rbl servers > > Don't use postgrey. Install Postfix 2.9.1 and configure postscreen: > http://www.postfix.org/POSTSCREEN_README.html I didn't know it, I have read the description and this tool seems to be very useful. > > If using Debian 6 add the backports archive to /etc/apt/sources.list: > > deb http://backports.debian.org/debian-backports squeeze-backports main > > $ aptitude -t squeeze-backports install postfix > >> I have some questions, >> 1. is it enough ? (I think no, but if you have advice, I'm very interested) > > postscreen will kill the bot traffic efficiently. With 50K > connections/min you do not want to use postgrey. > > Install a caching DNS resolver to minimize latency. For Debian: > > $ aptitude install pdns-recursor > > It will work out of the box but you may want to make some adjustments to > settings in /etc/powerdns/recursor.conf good idea, I didn't use, and I can use pdns with my pgsql server, great ! > >> 2. do you know some "secure" and "efficient" rbl servers ? > > Spamhaus allows up to 300K queries/day: > http://www.spamhaus.org/organization/dnsblusage/ > > BRBL is free but requires registration, no query limit: > http://www.barracudacentral.org/account/register > > Passive Spam Block List, no query limit: > http://psbl.org/howto/ > > Pay DNSBL targeting snowshoe spam, very effective, reasonable cost, > requires RBLDNSD or local DNS server (not just a resolver): > http://dnsbl.invaluement.com/ivmsip/ > > All of these can be safely used for outright rejection. With Postscreen > you can do so or you can configure a basic scoring system. > >> 3. Do I have to use SPF in my ns ? > > Not required. Optional. It's so easy to add the TXT record there's no > reason not to. Just make sure you get it right. > >> Thank you for your advice. > > You're welcome. Good luck. > Thank you for your advice, these are very useful. Is there an efficient way to know if my server is blacklisted ? a reference ? Regards
