David Rankin wrote:
Sandy, Carlos, Patrick
While we are on the SA and UCE issues, I thought I would run my new setup by the list and ask "Does anybody see any blatant screw ups in my setup from and order standpoint or from a conflicting restriction standpoint?" Does is matter if smtpd_recipient_restrictions comes before smtpd_client_restrictions or the smtpd_helo_restrictions? It seems to be working as I watch and check the logs. What say the gurus?
The order of appearance in main.cf does not matter.
main.cf
The best way to show the configuration of Postfix is the output of "postconf -n". If necessary, replace real domains with *.example.com and IPs with private addresses.
#tightening postfix unknown_local_recipient_reject_code = 550 unknown_client_reject_code = 550 smtpd_hard_error_limit = 5 smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, check_recipient_access pcre:/etc/postfix/recipient_check.pcre smtpd_client_restrictions = check_client_access cidr:/etc/postfix/client_check.cidr, reject_rbl_client relays.ordb.org, reject_unknown_client smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname
nemesis:/etc/postfix # cat recipient_check.pcre /^support@/ REJECT /^info@/ REJECT /^assistance@/ REJECT /^root@/ REJECT /^sales@/ REJECT /^admin@/ REJECT /^administrator@/ REJECT /^mail@/ REJECT /^accounting@/ REJECT /^majordomo@/ REJECT
nemesis:/etc/postfix # cat client_check.cidr 58.0.0.0/8 REJECT You are unwelcome here... 60.0.0.0/8 REJECT You are unwelcome here... 61.0.0.0/8 REJECT You are unwelcome here... 81.0.0.0/8 REJECT You are unwelcome here... 82.0.0.0/8 REJECT You are unwelcome here... 83.0.0.0/8 REJECT You are unwelcome here... 84.0.0.0/8 REJECT You are unwelcome here... 85.0.0.0/8 REJECT You are unwelcome here... 86.0.0.0/8 REJECT You are unwelcome here... 87.0.0.0/8 REJECT You are unwelcome here... 121.0.0.0/8 REJECT You are unwelcome here... 122.0.0.0/8 REJECT You are unwelcome here... 124.0.0.0/8 REJECT You are unwelcome here... 126.0.0.0/8 REJECT You are unwelcome here... 169.208.0.0/16 REJECT You are unwelcome here... 190.0.0.0/8 REJECT You are unwelcome here... 193.0.0.0/8 REJECT You are unwelcome here... 195.0.0.0/8 REJECT You are unwelcome here... 196.192.0.0/16 REJECT You are unwelcome here... 200.0.0.0/8 REJECT You are unwelcome here... 201.0.0.0/8 REJECT You are unwelcome here... 202.0.0.0/8 REJECT You are unwelcome here... 203.0.0.0/8 REJECT You are unwelcome here... 210.0.0.0/8 REJECT You are unwelcome here... 211.0.0.0/8 REJECT You are unwelcome here... 217.0.0.0/8 REJECT You are unwelcome here... 218.0.0.0/8 REJECT You are unwelcome here... 219.0.0.0/8 REJECT You are unwelcome here... 220.0.0.0/8 REJECT You are unwelcome here... 222.0.0.0/8 REJECT You are unwelcome here...
Any thoughts? (Again, this is a test machine and not a production machine. I know I have several continents worth of IP ranges excluded)
That is exactly what I am wondering about. Wouldn't it be better to be a bit more selective which IPs to block? If you are using such aggressive blocks you might better use some restrictions that will block a lot of spam: # Postfix 2.2 or 2.1: Blocks all HELO that do not have a FQDN smtpd_helo_restrictions = permit_mynetworks reject_invalid_hostname reject_non_fqdn_hostname For Postfix 2.3 (stable version has been released now!) the restrictions are: smtpd_helo_restrictions = permit_mynetworks reject_invalid_helo_hostname reject_non_fqdn_helo_hostname smtpd_client_restrictions = check_client_access cidr:/etc/postfix/client_check.cidr, reject_rbl_client relays.ordb.org, reject_rbl_client sbl-xbl.spamhaus.org reject_rbl_client list.dsbl.org # reject_rbl_client bl.spamcop.net # reject_unknown_client The last two settings are VERY aggressive and can reject real mail. Use at your own risk. (^-^) reject_non_fqdn_hostname can trip up some misconfigured servers, in that case you have to whitelist them. If that is not sufficient to cut down spam to a comfortable level, then use a policy service and greylisting. Sandy -- List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com