[dspam-users] [ot] postfix restrictions (Was: Non-local virtual users and performance)

Tue, 24 Apr 2007 14:26:21 -0700 

Daniel L. Miller wrote:

[snip]


This is off topic here, but...



In main.cf:
smtpd_recipient_restrictions =
   reject_non_fqdn_sender,    reject_non_fqdn_recipient,

you can add
   reject_unlisted_sender, reject_unlisted_recipient

   reject_unauth_destination,
   reject_unauth_pipelining,



this is useless here. pipelining is (always) ok in RCPT stage. the goal 
of reject_unauth_pipelining is to reject brokenware that does not wait 
for the response to _synchronous_ commands (for example, nobody should 
send MAIL FROM before getting the response for HELO/EHLO. but RCPT is an 
asyn command). In the default postfix setup (smtpd_delay_reject=yes), 
reject_unauth_pipelining is only meaningful in smtpd_data_restrictions.



   reject_invalid_hostname,
   reject_rbl_client relays.ordb.org,

Zed's dead boy, zed's dead.

you should periodically check the DNSBLs you use...

   reject_rbl_client opm.blitzed.org,

dead too. but even before, it was included in xbl.spamhaus.org, which is 
included in sbl-xbl used below.



   reject_rbl_client list.dsbl.org,
   reject_rbl_client bl.spamcop.net,

this is probably still too aggressive for MX filtering. better used in 
score based systems (policyd-weight, spamassassin).

   reject_rbl_client sbl-xbl.spamhaus.org,

consider using zen.spamhaus.org instead.

   check_recipient_access hash:/etc/postfix/maps/recipient_access,    
// magic line


OP is trying to do per recipient filtering, but it doesn't work this way...


   permit_mynetworks,      // shouldn't need this line - try removing it

this is indeed useless here.

   permit_sasl_authenticated

this is also useless here.


/etc/postfix/maps/recipient_access:
<yourdomain.com>    FILTER lmtp:unix:/var/dspam/dspam.sock



This is not robust and may bring surprises. only one FILTER is used for 
each message, whatever is the number of recipients.



with the check_recipient_access filter map, only recipients matching 
your domain will be passed to dspam.



not really. if mail is sent to N recipients, the last FILTER applies to 
the whole message.



to implement per recipient filtering, you need multiple postfix 
instances, then use transport_maps to select the filter (instead of 
FILTER and content_filter).




back to dspam now. one way to "solve" the issue is to not give dspam 
write access to the virtual uids table. but this means OP must populate 
it manually (with a script).
























					Reply via email to