On 6/2/2015 6:43 PM, ts yrtrt wrote: > I'm moving off of shared hosting to a VPS and am building up a > Postfix server for it. > > I read through the docs on layers of security & protection against > spam, viruses, and garbage in general. > > I decided to deploy postscreen + sender & recipient header checks + > DKIM signing/verification, ClamAV & Spamassassin. > > Postscreen is working, the server's sending & receving mail, and the > early & light checks I added are working. > > I'm layering in the deeper checks now. After reading up on milters > and such I decided to use Amavisd to handle a lot of it. > > Looking at banning file attachments by extension & mime type it > looks like I can use both Postfix header_checks & mime_header_checks > & Amavisd rules to block by EXT. > > Most of the flow charts of what happens when I'm getting a good > handle on and it's pretty easy to figure out when in the flow to put > a restriction. > > For these EXT checks I'm a little more fuzzy. > > What are the arguments for this specific type of restriction best > being done in Postfix or in Amavisd? > > I also read some posts that do it in both places, but I didn't get a > great reason for it. More like "just in case". Seems like a waste. > > Is this another "sooner is better" kind of restriction? Or more > like "DEEPER is better"? > > Thanks a lot. -- TS
postfix header checks advantage - it's built in; no need for an external program. amavisd banned file advantage - more flexible and able to block stuff that may slip past header checks. If you already use amavisd-new to integrate spamassassin and antivirus, I would suggest using the banned files feature too. If you're using amavisd as a content_filter rather than as an smtpd_proxy_filter, it might make sense to do the extension checks in both. But most folks use now amavisd as a proxy or milter so that unwanted mail can be rejected during SMTP rather than discarded or quarantined. Discarding is illegal in some parts of the world (and seldom a good idea anyway) and quarantine is a pain because someone has to check it. -- Noel Jones
