Mailinglist Archive: opensuse (2831 mails)

< Previous Next >
Re: [SLE] Postfix UCE, rbl, cidr and ehlo
  • From: Sandy Drobic <suse-linux-e@xxxxxxxxxxxxxxxxxxxxxxx>
  • Date: Thu, 13 Jul 2006 05:29:52 +0200
  • Message-id: <44B5BE30.5030707@xxxxxxxxxxxxxxxxxxxxxxx>
David Rankin wrote:
Sandy, Carlos, Patrick

While we are on the SA and UCE issues, I thought I would run my new
setup by the list and ask "Does anybody see any blatant screw ups in my
setup from and order standpoint or from a conflicting restriction
standpoint?" Does is matter if smtpd_recipient_restrictions comes before
smtpd_client_restrictions or the smtpd_helo_restrictions? It seems to be
working as I watch and check the logs. What say the gurus?

The order of appearance in main.cf does not matter.

main.cf

The best way to show the configuration of Postfix is the output of "postconf -n". If necessary, replace real domains with *.example.com and IPs with private addresses.

#tightening postfix
unknown_local_recipient_reject_code = 550
unknown_client_reject_code = 550
smtpd_hard_error_limit = 5
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination,
check_recipient_access pcre:/etc/postfix/recipient_check.pcre
smtpd_client_restrictions = check_client_access
cidr:/etc/postfix/client_check.cidr, reject_rbl_client relays.ordb.org,
reject_unknown_client
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname

nemesis:/etc/postfix # cat recipient_check.pcre
/^support@/ REJECT
/^info@/ REJECT
/^assistance@/ REJECT
/^root@/ REJECT
/^sales@/ REJECT
/^admin@/ REJECT
/^administrator@/ REJECT
/^mail@/ REJECT
/^accounting@/ REJECT
/^majordomo@/ REJECT

nemesis:/etc/postfix # cat client_check.cidr
58.0.0.0/8 REJECT You are unwelcome here...
60.0.0.0/8 REJECT You are unwelcome here...
61.0.0.0/8 REJECT You are unwelcome here...
81.0.0.0/8 REJECT You are unwelcome here...
82.0.0.0/8 REJECT You are unwelcome here...
83.0.0.0/8 REJECT You are unwelcome here...
84.0.0.0/8 REJECT You are unwelcome here...
85.0.0.0/8 REJECT You are unwelcome here...
86.0.0.0/8 REJECT You are unwelcome here...
87.0.0.0/8 REJECT You are unwelcome here...
121.0.0.0/8 REJECT You are unwelcome here...
122.0.0.0/8 REJECT You are unwelcome here...
124.0.0.0/8 REJECT You are unwelcome here...
126.0.0.0/8 REJECT You are unwelcome here...
169.208.0.0/16 REJECT You are unwelcome here...
190.0.0.0/8 REJECT You are unwelcome here...
193.0.0.0/8 REJECT You are unwelcome here...
195.0.0.0/8 REJECT You are unwelcome here...
196.192.0.0/16 REJECT You are unwelcome here...
200.0.0.0/8 REJECT You are unwelcome here...
201.0.0.0/8 REJECT You are unwelcome here...
202.0.0.0/8 REJECT You are unwelcome here...
203.0.0.0/8 REJECT You are unwelcome here...
210.0.0.0/8 REJECT You are unwelcome here...
211.0.0.0/8 REJECT You are unwelcome here...
217.0.0.0/8 REJECT You are unwelcome here...
218.0.0.0/8 REJECT You are unwelcome here...
219.0.0.0/8 REJECT You are unwelcome here...
220.0.0.0/8 REJECT You are unwelcome here...
222.0.0.0/8 REJECT You are unwelcome here...

Any thoughts? (Again, this is a test machine and not a production machine. I
know I have several continents worth of IP ranges excluded)

That is exactly what I am wondering about. Wouldn't it be better to be a bit more selective which IPs to block?

If you are using such aggressive blocks you might better use some restrictions that will block a lot of spam:

# Postfix 2.2 or 2.1: Blocks all HELO that do not have a FQDN
smtpd_helo_restrictions =
permit_mynetworks
reject_invalid_hostname
reject_non_fqdn_hostname

For Postfix 2.3 (stable version has been released now!) the restrictions are:
smtpd_helo_restrictions =
permit_mynetworks
reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname

smtpd_client_restrictions =
check_client_access cidr:/etc/postfix/client_check.cidr,
reject_rbl_client relays.ordb.org,
reject_rbl_client sbl-xbl.spamhaus.org
reject_rbl_client list.dsbl.org
# reject_rbl_client bl.spamcop.net
# reject_unknown_client

The last two settings are VERY aggressive and can reject real mail. Use at your own risk. (^-^)
reject_non_fqdn_hostname can trip up some misconfigured servers, in that case you have to whitelist them.

If that is not sufficient to cut down spam to a comfortable level, then use a policy service and greylisting.

Sandy
--
List replies only please!
Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com

< Previous Next >
Follow Ups
References