Thanks for the help, Bill.
On 16-06-06 10:24 AM, Bill Cole wrote:
> NOTE THAT 454 REPLY!
could it be because I have soft_bounce = yes while trying to understand
the outcome of my rules without losing incoming emails?
> include postconf -n rather than main.cf snippets.
Attached, apology for not following proper procedure.
> "maps_rbl_reject_code"
nowhere in the configuration.
> defer_if_reject
nowhere in the configuration.
> modified package of Postfix
plain vanilla Ubuntu repository.
> 1. Stop inviting spammers to come back later when their DNSBL listing
> has expired. Fix whatever is causing you to send a 454 reply instead of
> the default 554 for Zen listings.
Assuming it is soft_bounce = yes, is there a way to override it for Zen
listings? Or any other way to be more fine grained about soft bouncing?
> 2. Stop accepting mail AT ALL from IPs that have no PTR records by
> adding reject_unknown_reverse_client_hostname to
> smtpd_recipient_restrictions AFTER permit_mynetworks and
> permit_sasl_authenticated. reject_unknown_reverse_client_hostname is
> extremely safe, requires no additional DNS lookups, and stops a
> substantial amount of spam.
Added, thanks.
Postconf -n is attached. I am sure that there is a lot to criticize /
improve. This personal, low-usage Postfix instance has served me well
for ages. Last time I changed configuration was to add greylisting with
Postgray, seven years ago. I was forced to make changes recently
because my wife's university made the (in my view bad) decision to
switch to outlook.office365.com which does not play nicely with
greylisting. So I am trying to learn about current spam protection to
keep this personal server going. Any hint/help is much appreciated.
Thanks,
Yuv
alias_maps = hash:/etc/aliases
alibaba = check_reverse_client_hostname_mx_access pcre:/etc/postfix/alibaba.pcre
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
disable_vrfy_command = yes
ebay = check_reverse_client_hostname_mx_access pcre:/etc/postfix/ebay.pcre
html_directory = no
inet_interfaces = all
linkedin = check_reverse_client_hostname_mx_access
pcre:/etc/postfix/linkedin.pcre
mailbox_size_limit = 0
message_size_limit = 20480000
milter_default_action = accept
milter_protocol = 2
mydestination = localhost x2.example.com lists.example.com
myhostname = x2.example.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
non_smtpd_milters = inet:localhost:12301
paypal = check_reverse_client_hostname_mx_access pcre:/etc/postfix/paypal.pcre
policy-spf_time_limit = 3600s
readme_directory = no
recipient_delimiter = +
relay_recipient_maps = proxy:mysql:/etc/postfix/sql/alias.cf
proxy:mysql:/etc/postfix/sql/alias_domain.cf
proxy:mysql:/etc/postfix/sql/catchall.cf
relayhost =
smtp_tls_note_starttls_offer = yes
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_data_restrictions = reject_unauth_pipelining, permit
smtpd_delay_reject = yes
smtpd_error_sleep_time = 2s
smtpd_hard_error_limit = 20
smtpd_helo_required = yes
smtpd_milters = inet:localhost:12301
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated
reject_unauth_destination reject_invalid_hostname reject_non_fqdn_hostname
reject_non_fqdn_sender reject_non_fqdn_recipient
reject_unknown_reverse_client_hostname reject_unknown_sender_domain
reject_unknown_recipient_domain check_recipient_access
hash:/etc/postfix/recipients check_client_access
hash:/etc/postfix/client_checks reject_rbl_client zen.spamhaus.org
check_policy_service unix:private/policy-spf permit
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
reject_unauth_destination
smtpd_restriction_classes = ebay linkedin alibaba paypal ultra_strict
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_local_domain =
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_soft_error_limit = 10
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/ssl/example.com.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
soft_bounce = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
ultra_strict = reject
virtual_alias_maps = proxy:mysql:/etc/postfix/sql/alias.cf
proxy:mysql:/etc/postfix/sql/alias_domain.cf
proxy:mysql:/etc/postfix/sql/catchall.cf
virtual_gid_maps = static:9999
virtual_mailbox_base = /home/postino
virtual_mailbox_domains = proxy:mysql:/etc/postfix/sql/domain.cf
virtual_mailbox_limit = ${message_size_limit}0
virtual_mailbox_maps = proxy:mysql:/etc/postfix/sql/mailbox.cf
proxy:mysql:/etc/postfix/sql/alias_domain_mailbox.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_uid_maps = static:9999
