I am using postfix with Virtualmin and am trying to follow numerous tutorials on spam prevention/handling. I have tried to apply the following to the postfix main.cf file.
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, permit
comment- check_helo_access hash:/usr/local/etc/postfix/helo_access,
smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_destination, permit
smtpd_recipient_restrictions = reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, permit
comment- check_policy_service unix:postgrey/socket, comment- check_policy_service unix:private/spfpolicy comment- check_policy_service inet:127.0.0.1:10023 comment- reject_rbl_client relays.ordb.org, comment- reject_rbl_client list.dsbl.org, comment- reject_rbl_client sbl-xbl.spamhaus.org, comment- check_sender_access hash:/etc/postfix/sender_access, comment- check_recipient_access hash:/etc/postfix/recipient_access,
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_rbl_client bl.spamcop.net, reject_rbl_client zen.spamhaus.org, reject_rbl_client dnsbl.sorbs.net, permit
I had to replace the pound sign for comment with comment- because of the way this forum formats the text.
The items that are commented out are of concern. I cannot figure out how to set them right. I have the rbl in the client_restrictions but online the examples show in the recipient. Which is it? client or recipient?
Also, is there a good tutorial on configuring the HELO access file? I am migrating from EIMS and have some nice HELO rules set up there to catch a bunch of problems. I'd like to incorporate them into the postfix setup.
For the HELO: does not contain . starts with [ contains .dynamic. contains .adsl. ends with .airtelbroadband.in is speedtouch.lan is gmail.com contains .pool. starts with adsl- is dsldevice.lan contains .dsl.
Expressions for a few of the top expressions: Typical names for household connections contain a name followed by an ip (dashed or dotted) [a-zA-Z_-][0-9]{1,3}-[0-9]{1,3}-[0-9]{1,3}-[0-9]{1,3}. [a-zA-Z_-][0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}. Plain IP number without [ ]: [0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}
With the spf handling, I keep seeing mention of a file that I am supposed to have but it was not included in the install of CentOS 5. smtpd-policy.pl is the file that everyone mentions I need for the SPF but it's no where to be found and I did not see anywhere online to download this. I have postgrey installed. Does anyone know how to make all this work? it seems it would be optimal setup for spam prevention.
It's a long post. Sorry. I hope this will help everyone.
Thanks, Steffan
Howdy,
The items that are commented out are of concern. I cannot figure out how to set them right. I have the rbl in the client_restrictions but online the examples show in the recipient. Which is it? client or recipient?
When I've set this up, I've used smtp_recipient_restrictions like so:
smtpd_recipient_restrictions =permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_recipient,
reject_invalid_hostname,
...
reject_rbl_client zen.spamhaus.org
Also, is there a good tutorial on configuring the HELO access file? I am migrating from EIMS and have some nice HELO rules set up there to catch a bunch of problems. I'd like to incorporate them into the postfix setup.
Well, I'm not really familiar with setting that up, specifically... you could always add some regexes using something like this in your smtpd_recipient_restrictions:
check_client_access hash:/etc/postfix/helo_client_exceptionsAnd then adding some regexes into "/etc/postfix/helo_client_exceptions".
However, Postfix does some of that work for you if you want to keep it simpler... you may want to tinker with some of Postfix's "reject_" lines, including "reject_invalid_hostname", "reject_non_fqdn_hostname", and "reject_unknown_sender_domain" (amongst others!).
Regarding SPF handling -- I'm not familiar with the setup you're describing there, though it appears that it would require installing and running a SPF daemon of some sort out of Postfix's master.cf.
One thing to note is that SpamAssassin provides it's own SPF handling, and includes that in it's various spam processing rules. It'll be a lot less work to setup, as that works out of the box :-)
-Eric