On 1/6/2012 8:35 PM, Eric Lemings wrote:
> Current 'postconf -n' output:
>
> command_directory = /usr/sbin
This is likely your default. Check with 'postconf -d command_directory'
and remove this line if it is. Don't re-specify default values in
main.cf. It simply clutters things up making sleuthing more difficult
than need be.
> config_directory = /etc/postfix
Same as above.
> daemon_directory = /usr/libexec/postfix
Possibly here as well. On Debian it's /usr/lib/postfix but on OSX it
may be libexec. If the default is libexec, remove this line.
> debug_peer_level = 2
This is the default value. Remove this line. Unless of course Apple
changed the default to another value, which they should not have.
> enable_server_options = yes
This doesn't seem to be a valid main.cf parameter. An Apple add-on I
assume.
> imap_submit_cred_file = /private/etc/postfix/submit.cred
Same here.
> inet_interfaces = all
Again, default. Remove this line.
> local_recipient_maps = proxy:unix:passwd.byname $alias_maps
Default. Remove.
> mail_owner = _postfix
Default. Remove.
> mailq_path = /usr/bin/mailq
Default. Remove.
> manpage_directory = /usr/share/man
Default. Remove.
> maps_rbl_domains =
Deprecated parameter. Remove.
> mydestination = $myhostname, localhost.$mydomain, localhost, myhost,
> $mydomain, mail
Are you sure you need all 6 of these?
> mydomain_fallback = localhost
Another Apple add on, seems useless.
> newaliases_path = /usr/bin/newaliases
Default. Remove.
> postscreen_dnsbl_sites = zen.spamhaus.org*2 rbl-plus.mail-abuse.org
> bl.spamcop.net
Again, MAPS is a paid service. If you don't have a subscription remove.
> readme_directory = /usr/share/doc/postfix
Default. Remove.
> relayhost =
Default. Remove.
> sendmail_path = /usr/sbin/sendmail
Default. Remove.
> smtp_sasl_auth_enable = no
> smtp_sasl_password_maps =
> smtpd_enforce_tls = no
All 3 are defaults. Remove them.
> smtpd_helo_restrictions = permit_mynetworks,check_helo_access
> hash:/etc/postfix/helo_access,reject_non_fqdn_helo_hostname,
> reject_invalid_helo_hostname,permit
Consolidate your helo restrictions into recipient restrictions.
> smtpd_pw_server_security_options = cram-md5,gssapi,login,plain
Yet another Apple add on...
> smtpd_recipient_restrictions = reject_unauth_pipelining,
> reject_non_fqdn_recipient,reject_unknown_recipient_domain,
> permit_mynetworks,permit_sasl_authenticated,
> reject_unauth_destination,reject_rhsbl_client dbl.spamhaus.org,
> reject_rhsbl_sender dbl.spamhaus.org,reject_rhsbl_helo dbl.spamhaus.org,
> reject_rbl_client zen.spamhaus.org,reject_rbl_client
> rbl-plus.mail-abuse.org,reject_rbl_client bl.spamcop.net,
> check_policy_service unix:private/policy,permit
You may want to move these first 3 after reject_unauth_destination.
Also, there's no need for an explicit permit at the end as that is the
default behavior.
> smtpd_use_pw_server = yes
Yet another Apple add on.
> tls_random_source = dev:/dev/urandom
Default. Remove.
> unknown_local_recipient_reject_code = 550
Default. Remove.
> use_sacl_cache = yes
Another Apple add on.
> virtual_alias_maps = $virtual_maps
Default. Remove.
I'm guessing a lot of the redundant default junk in your main.cf was
inserted by Apple (IIRC the CentOS/Red Hat people are horrible about
this as well). Thus your next package upgrade may put them right back in.
> Still quite a bit of spam getting through.
The spam making it in is probably not related to some of the changes you
should make above. Post the "connect from:" lines in your mail log of a
dozen or so of these spam connections so we can identify the sources and
recommend tools/methods to put a dent in it.
--
Stan
