Am 04.03.2014 17:55, schrieb Mike McGinn: > I ma getting some backscatter problems lately. > I used to have the line: > reject_unknown_reverse_client_hostname, > in my smtpd_client_restrictions but I commented it out because an important > client is on a microsoft cloud and had been having problems sending mail to > us.
why not simply whitelist buggy microsoft servers i.e with access table i.e hash, cidr , regex ( whatever fits best ) style and stay with reject_unknown_reverse_client_hostname > > Would adding the reject_unknown_reverse_client_hostname help with the > backscatter? it might help a little bit, but to be exact backscatter may reach you from anywhere,anytime read http://www.postfix.org/BACKSCATTER_README.html also you may have a look at http://babel.de/batv.html filtering backscatter is always a problem, study your logs what "stop mech" might fit best, if typical spam is included in the backscatter some antispam/antivirus milter may help ( SpamAssassin, clamav-milter with sanesecurity sigs, amavis-new....milter) If it does, is there any other way to deal with these microsoft > clouds and their screwed up reverse DNS? > > I am not a mialguy, our mailguy was downsized along with all the other tech > staff except me. I write all the code here, but I have been lurking on this > list for over a year. > > Thanks a bunch, > Mike > > My postconf dump is below: > alias_database = $alias_maps > alias_maps = hash:/etc/aliases > anvil_rate_time_unit = 180s > biff = no > body_checks = pcre:$config_directory/pcre.body_checks > body_checks_size_limit = 1572864 > broken_sasl_auth_clients = yes > command_directory = /usr/local/sbin > config_directory = /usr/local/etc/postfix > daemon_directory = /usr/local/libexec/postfix > data_directory = /var/db/postfix > default_privs = nobody > disable_vrfy_command = yes > dovecot_destination_recipient_limit = 1 > fast_flush_domains = > header_checks = pcre:$config_directory/pcre.header_checks > html_directory = /usr/local/share/doc/postfix > in_flow_delay = 1s > inet_interfaces = $myhostname, localhost > inet_protocols = ipv4 > local_recipient_maps = unix:passwd.byname $alias_maps > mail_owner = postfix > mailbox_size_limit = 0 > mailq_path = /usr/local/bin/mailq > manpage_directory = /usr/local/man > message_size_limit = 67108864 > milter_default_action = accept > mime_header_checks = pcre:$config_directory/pcre.mime_header_checks > mydestination = $myhostname, localhost > mydomain = $myhostname > myhostname = mailhost.intelacom.com > mynetworks = 162.42.195.80, 162.42.195.41, 162.42.195.148,162.42.195.134, > 162.42.195.135, 162.42.195.136, 75.127.176.42, 75.127.176.43, 75.127.176.44, > 127.0.0.1 > myorigin = $myhostname > nested_header_checks = > newaliases_path = /usr/local/bin/newaliases > notify_classes = 2bounce, delay, resource, software > proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps > $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains > $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps > $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks > $sender_bcc_maps $recipient_bcc_maps $smtp_generic_maps $lmtp_generic_maps > $virtual_mailbox_domains $virtual_mailbox_maps $virtual_alias_maps > queue_directory = /var/spool/postfix > readme_directory = /usr/local/share/doc/postfix > recipient_delimiter = + > relay_domains = cdb:$config_directory/cdb.relay_domains > sample_directory = /usr/local/etc/postfix > sendmail_path = /usr/local/sbin/sendmail > setgid_group = maildrop > slow_destination_concurrency_limit = 2 > slow_destination_recipient_limit = 20 > smtpd_banner = $myhostname ESMTP $mail_name > smtpd_client_connection_count_limit = 30 > smtpd_client_connection_rate_limit = 50 > smtpd_client_port_logging = yes > smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, > check_recipient_access pcre:$config_directory/pcre.whitelist_allow, > warn_if_reject reject_unknown_client_hostname, warn_if_reject > reject_rbl_client bl.spamcop.net, warn_if_reject reject_rbl_client > psbl.surriel.com, reject_rbl_client zen.spamhaus.org, > reject_rhsbl_reverse_client dbl.spamhaus.org > smtpd_data_restrictions = reject_multi_recipient_bounce, > reject_unauth_pipelining, permit > smtpd_discard_ehlo_keywords = silent-discard, dsn > smtpd_end_of_data_restrictions = check_policy_service unix:private/checkquota > smtpd_error_sleep_time = ${stress?1s}${stress:5s} > smtpd_hard_error_limit = ${stress?1}${stress:20} > smtpd_helo_required = yes > smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, > check_recipient_access pcre:$config_directory/pcre.whitelist_allow, > check_helo_access pcre:$config_directory/pcre.helo_access, > reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, > reject_rhsbl_helo > dbl.spamhaus.org > smtpd_junk_command_limit = ${stress?1}${stress:50} > smtpd_milters = unix:/var/run/clamav/clmilter.sock > smtpd_recipient_limit = 300 > smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, > reject_unauth_destination, reject_unauth_pipelining, > reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit > smtpd_sasl_auth_enable = yes > smtpd_sasl_authenticated_header = yes > smtpd_sasl_exceptions_networks = $mynetworks > smtpd_sasl_path = private/auth > smtpd_sasl_security_options = noanonymous > smtpd_sasl_type = dovecot > smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, > reject_non_fqdn_sender, reject_unknown_sender_domain, check_sender_mx_access > cidr:$config_directory/cidr.sender_mx_access, check_sender_mx_access cdb: > $config_directory/cdb.sender_mx_access, check_recipient_access pcre: > $config_directory/pcre.whitelist_allow, reject_rhsbl_sender dbl.spamhaus.org > smtpd_soft_error_limit = ${stress?5}${stress:10} > smtpd_timeout = ${stress?10s}${stress:120s} > smtpd_tls_cert_file = /etc/ssl/mailhost.pem > smtpd_tls_key_file = /etc/ssl/mailhost.pem > smtpd_tls_loglevel = 1 > smtpd_tls_received_header = no > smtpd_tls_security_level = may > smtpd_tls_session_cache_database = btree: > $data_directory/smtpd_tls_session_cache > soft_bounce = no > spamass_destination_recipient_limit = 1 > strict_rfc821_envelopes = yes > tls_random_source = dev:/dev/urandom > transport_maps = cdb:$config_directory/cdb.transport_maps > unknown_address_reject_code = 550 > unknown_client_reject_code = 550 > unknown_hostname_reject_code = 550 > unknown_local_recipient_reject_code = 550 > unverified_recipient_reject_code = 550 > unverified_sender_reject_code = 550 > virtual_alias_maps = proxy:mysql:$config_directory/virtual_alias_maps.cf > proxy:mysql:$config_directory/virtual_catchall_maps.cf > virtual_mailbox_domains = proxy:mysql: > $config_directory/virtual_mailbox_domains.cf > virtual_mailbox_maps = proxy:mysql:$config_directory/virtual_mailbox_maps.cf > virtual_transport = dovecot > > Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
