On Thu, Oct 11, 2012 at 09:57:29AM +0100, Mark Alan wrote: > On Wed, 10 Oct 2012 10:43:47 -0500, Paul Schmehl > <g...@stovebolt.com> wrote: > > > readme files, but some of this stuff is above my pay grade. I > > get confused and am not sure what to do. > > In order to benefit from postscreen you need to change both > master.cf and main.cf. > Assuming that you are starting with a fresh Postfix install:
I would recommend the Postscreen README: http://www.postfix.org/POSTSCREEN_README.html I don't think copy-and-paste howtos of this nature are useful. The administrator really does need to think and fully understand what s/he is doing and why. > I. To change master.cf: > a) comment out the line that starts with smtp and ends with smtpd > b) uncomment the lines that: start with smtpd and end in pass; or the > lines that have the following terms in them 'postscreen', 'dnsblog' > 'tlsproxy' > In a debian/ubuntu linux you would only need to execute the following > single line command as root: > sed -i > 's,^smtp .*smtpd$,#&,;/\(smtpd > .*pass\|postscreen\|dnsblog\|tlsproxy\)/s/^#//' /etc/postfix/master.cf > > II. To change main.cf (maybe it will be safer for you to use the > postconf -e '' construct, instead of editing main.cf directly). > You could start with the following: > a) to enforce tests & log attempts > postconf -e 'postscreen_blacklist_action = enforce' > postconf -e 'postscreen_dnsbl_action = enforce' > postconf -e 'postscreen_greet_action = enforce' > b) to benefit from RBL lists > # ( do check options at: http://www.sdsc.edu/~jeff/spam/cbc.html ) That is good advice, but it should also mention that one must be familiar with any DNSBL's policies before entrusting it to control access to your mailboxes. The site above has links to each DNSBL's web pages which describe those policies. > postconf -e 'postscreen_dnsbl_sites = bl.spamcop.net, > zen.spamhaus.org, dnsbl.sorbs.net' > postconf -e 'postscreen_dnsbl_threshold = 1' This is not good advice. Using the default postscreen_dnsbl_threshold setting of 1 (you do not need to set that), each site will be doing blocking of mail. Any DNSBL listing means rejection. Spamcop is too unpredictable for outright blocking of mail. It might prove safe enough if combined with a whitelist like list.dnswl.org, but expect occasional problems with freemail sites if using Spamcop in this way. SORBS has a reputation for being aggressive, and such aggression against spam can cause blockage of real mail. Here too I would not suggest SORBS for use in this manner. Zen of course is excellent. I can also recommend Barracuda's BRBL as safe and effective for general use, but that requires you to register, and lo and behold, that can't be covered in a copy/paste howto! Personally, I use postscreen_dnsbl_threshold=3 and weights in my postscreen_dnsbl_sites. Three one-point sites or a two-point site plus any other, will cause mail to be blocked unless in a DNS whitelist. I posted my config on this list in 2011: https://groups.google.com/d/topic/mailing.postfix.users/v1bUYV98amE/ > c) to enable (more expansive) tests after the 220 SMTP greeting Aforementioned README explains that these might have unintended consequences. See the "Important note:" following this: http://www.postfix.org/POSTSCREEN_README.html#after_220 > postconf -e 'postscreen_pipelining_enable = yes' > postconf -e 'postscreen_non_smtp_command_enable = yes' > postconf -e 'postscreen_bare_newline_action = enforce' > postconf -e 'postscreen_bare_newline_enable = yes' > > All other postscreen related settings will work rather well at > their default values. Probably you will not need to explicitly > set them. > > Finally, remember that changes at master.cf need a Postfix restart. > A simple 'reload' won't be enough). So, after executing the above > commands, run as root: > /etc/init.d/postfix restart This is a script which may (or may not) be provided by the distributor. "postfix stop" and "postfix start" are the generic upstream commands (this is the upstream list, not a Debian one.) -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
