Ping a Specific Port

Question

Igor

Asked: 2011-09-15 04:13:24 +0800 CST2011-09-15 04:13:24 +0800 CST 2011-09-15 04:13:24 +0800 CST

Optimal parameters set for Postfix "smtpd_recipient_restrictions"

772

we've inherited the DNS from another ISP and now our mail server is bombed by about 1000 emails per minute, 99.99% of these emails are just spam. We're trying to optimize the filtering/rejecting the spam with no much luck.

What would be on your opinion the optimal set for smtpd_recipient_restrictions?

The system config: Ubuntu + Amavis + Postfix + MySQL + Fail2Ban-Postfix

Any advise is welcome!

UDPATE, 2012-08-08

On alteration of the posftix configuration as folows and configuring the Potrgey service the spam level decayed 10 times

smtpd_recipient_restrictions = 
permit_mynetworks, 
permit_sasl_authenticated, 
reject_non_fqdn_hostname, 
reject_invalid_hostname, 
reject_non_fqdn_sender, 
reject_unknown_sender_domain, 
reject_non_fqdn_recipient, 
reject_unknown_recipient_domain, 
check_policy_service inet:127.0.0.1:10023, 
reject_rbl_client zen.spamhaus.org, 
check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf,
reject_unauth_pipelining, 
reject_unauth_destination

enter image description here

2 Answers

Voted

mailq · Answer 1 · 2011-09-15T12:38:30+08:00

Best Answer

mailq

2011-09-15T12:38:30+08:002011-09-15T12:38:30+08:00

You order of rules is very bad. If you want to keep all of them and not add anything else, the order must be:

smtpd_recipient_restrictions = 
permit_mynetworks, 
permit_sasl_authenticated, 
reject_unauth_pipelining, 
reject_invalid_hostname, 
reject_non_fqdn_sender, 
reject_unknown_sender_domain, 
reject_unauth_destination, 
reject_unknown_recipient_domain, 
reject_rbl_client zen.spamhaus.org,
check_recipient_access proxy:mysql:/etc/postfix/mysql-virtual_recipient.cf, 
reject_non_fqdn_recipient

And if that still is not enough then read about postscreen in http://www.postfix.org/POSTSCREEN_README.html.

6

sebokopter · Answer 2 · 2011-09-16T00:25:11+08:00

I would suggest a smtpd_recipient_restrictions similar to the following:

smtpd_recipient_restrictions = 
  # Whitelisting or blacklisting:
  check_recipient_access proxy:mysql:/etc/postfix/mysql-virtual_recipient.cf,
  # Everyone should play after rules:
  reject_non_fqdn_recipient,
  reject_non_fqdn_sender,
  reject_unknown_recipient_domain,
  reject_unknown_sender_domain,
  reject_unauth_pipelining,
  # Mails from your users:
  permit_mynetworks,
  permit_sasl_authenticated,
  # This will block mails from domains with no reverse DNS record. Will affect both spam and ham mails, but mostly spam. 
  reject_unknown_reverse_client_hostname,
  # Instead of reject_unknown_reverse_client_hostname you can also use reject_unknown_client_hostname, which is an even harder rule. 
  # Reject ugly HELO/EHLO-hostnames (could also affect regular mails):
  reject_non_fqdn_hostname,
  reject_invalid_helo_hostname,
  # Reject everything you're not responsible for:
  reject_unauth_destination,
  # Only take mails for existing accounts:
  reject_unverified_recipient,
  # DNS lookups are "expensive", therefore should be at bottom
  reject_rbl_client zen.spamhaus.org

Detailed infos on smtpd_recipient_restrictions can be found here: http://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions

Maybe you also want to use postgrey, postscreen, postfwd or some other policy daemon.

And also check, that you are using your amavisd-new in pre-queue mode.

Optimal parameters set for Postfix "smtpd_recipient_restrictions"

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Resolve host name from IP address

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?