> reject_unknown_client_hostname (with Postfix < 2.3:
> reject_unknown_client)Reject the request when 1) the client IP
> address->name mapping fails, 2) the name->address mapping fails, or 3)
> the name->address mapping does not match the client IP address.
> This is a stronger restriction than the
> reject_unknown_reverse_client_hostname feature, which triggers only
> under condition 1) above.
> The unknown_client_reject_code parameter specifies the response code for
> rejected requests (default: 450). The reply is always 450 in case the address-
> >name or name->address lookup failed due to a temporary problem.
If you are using Postfix, the following smtpd_recipient_restrictions work well
for us. Note that you need to install policy-spf-python before you can use the
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination,
reject_invalid_hostname, reject_unauth_pipelining, reject_non_fqdn_sender,
reject_unknown_recipient_domain, check_policy_service unix:private/policy-spf
policy-spf-python in Ubuntu is installed as follows:
sudo apt-get install postfix-policyd-spf-python
Then in your postfix master.cf you add the following:
# ==== PYTHON SPF POLICY BELOW THIS LINE. ENABLE IF YOU WISH TO USE
policy-spf unix - n n - - spawn
# === PYTHON SPF POLICY ABOVE THIS LINE ===
I'm also guessing you are using postscreen
> > Here is a blocked spamas an example:
> > X-Spam-Status: Yes, score=8.308 tag=-999 tag2=5.5 kill=7.5
> Did you receive this mail since score = 8.3?
> Pls set final_spam_destiny to D_DISCARD in this way.
> $final_spam_destiny = D_DISCARD;
> It is worth to have below 2 lines to D_DISCARD as well.
> $final_virus_destiny = D_DISCARD;
> $final_banned_destiny = D_DISCARD;
I would like to add that you should NEVER block your customers email. You don't
have to pass them to their mailbox necessarily but you should dump them to a
quarantine directory and release if needed. I have seen many situation where
the system has marked a message as spam or a virus for that matter even though
it was not and your customers are looking for that e-mail so you don't want to
be that guy. You accomplish that like as follows in your amavis conf file:
$QUARANTINEDIR = "/path/to/quarantine/directory";
$virus_quarantine_method = 'local:virus/%m';
$spam_quarantine_method = 'local:spam/%m';
$banned_files_quarantine_method = 'local:banned/%m';
$bad_header_quarantine_method = 'local:bad_header/%m';
> > score BAYES_99 4.5 # was 3.5
> > score BAYES_999 2.0 # was 0.2
> I do NOT conceder the above stuffs so much. I go with defaults.
I agree with above. Keeping with defaults is usually best. You should
concentrate on doing everything else before you start messing around with the
Hermes Secure Email Gateway
Hermes Secure Email Gateway combines Open Source technologies such as Postfix,
Apache SpamAssassin, ClamAV, Amavisd-new, MySQL and CipherMail under one
unified web based Web GUI for easy administration and management of your
incoming and ougoing email for your organization. Anti-spam, anti-virus and
anti-malware protection, encrypted S/MIME, encrypted PDF and SMTP TLS support,
built-in email archiving, end-user self-service web gui.
Download the free open-source appliance at: