> > Nobody has any experience/advice about this matter ??
>
> > ..... Waiting for the experts :-)
>
> No experts here but here's what I'd suggest to limit false positives and
let
> Declude do the rest:
>
> reject_unauth_pipelining
> reject_unknown_recipient_domain
No need to do reject_unknown_recipient_domain twice. Get rid of the first
instance.
> reject_unauth_destination
> reject_non_fqdn_recipient
> reject_non_fqdn_sender
> reject_unknown_sender_domain
> reject_unknown_recipient_domain
> reject_invalid_hostname
>
> And the check for commonly forged domains w/rDNS that doesn't match (not
> sure what Len is calling that in the current config). Also, maybe the
check
> for hosts greeting you with your own domain name or server's IP in the
HELO.
This is a good minimalist config that will clean out a good deal of
things.
You could add a few other things based off your present Deculde setup. If
you trust certain RBLs, or always reject certain extensions, move this
from Imail/Declude to Postfix.
Because I work at an ISP, I need to have checks that will not irritate our
customers with false positives. I use the following:
smtpd_recipient_restrictions =
reject_unauth_pipelining,
reject_non_fqdn_recipient,
reject_non_fqdn_sender,
permit_mynetworks,
reject_unauth_destination,
check_recipient_access hash:/etc/postfix/bad_recipient.map,
check_sender_access hash:/etc/postfix/good_sender.map,
check_recipient_access hash:/etc/postfix/good_recipient.map,
check_client_access hash:/etc/postfix/bad_domain.map,
check_sender_access hash:/etc/postfix/bad_domain.map,
check_sender_access btree:/etc/postfix/spamlist-extended.btree,
check_client_access hash:/etc/postfix/forged_check.map,
check_helo_access hash:/etc/postfix/helo_hostname_forged.map,
check_client_access pcre:/etc/postfix/bad_client.pcre,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_rbl_client blackholes.easynet.nl,
reject_rbl_client relays.ordb.org,
reject_rbl_client proxies.relays.monkeys.com,
reject_rbl_client socks.relays.osirusoft.com,
reject_rbl_client spamhaus.relays.osirusoft.com,
reject_rhsbl_sender dsn.rfc-ignorant.org,
permit
Now for a short description of my maps.
/etc/postfix/bad_recipient.map
Known bad addresses that get a lot of mail still. I plan on switching
to the recipient verification sometime, but for now this works.
/etc/postfix/good_sender.map
My whitelist to exempt senders.
/etc/postfix/good_recipient.map
My whitelist to exempt postmaster@, and people that do not want
blocking.
/etc/postfix/bad_domain.map
A list of domain names that I do not like.
/etc/postfix/spamlist-extended.btree
The Wirehub/Easynet SLET list. Note: I mapped as a BTree for
performance reasons. It has a benefit in larger files under FreeBSD.
/etc/postfix/forged_check.map
A number of more commonly forged clients.
/etc/postfix/helo_hostname_forged.map
Test a small number of domains for forged HELO information.
/etc/postfix/bad_client.pcre
A PCRE regular expression to strip off direct connections from some
DSL services. I did not find the RBLs for dynamic addresses to be very
effective. This lets me block the few that I do see regular abuse from.
--Eric
