Re: restricting servers: best practices
This is a discussion on Re: restricting servers: best practices within the mailing.postfix.users forums, part of the Mail Servers and Related category; On Friday 18 February 2005 08:59, Brian Andrus wrote: > I am running into the issue that so very ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-18-2005
|
|||
|
|||
Re: restricting servers: best practices
On Friday 18 February 2005 08:59, Brian Andrus wrote:
> I am running into the issue that so very many SMTP servers are > misconfigured that I am actually losing customers because I block > mail from idiots who cannot follow the RFC. Sigh. Yes. > I block incoming mail with: > ------snip---------------- > smtpd_client_restrictions = > permit_mynetworks, > hash:/etc/postfix/ip_access, > reject_unauth_pipelining, > reject_unknown_client, > reject_rbl_client relays.ordb.org You could add: reject_rbl_client sbl-xbl.spamhaus.org which I think is the best overall. Anything coming from a Spamhaus- listed IP is either spam or (rarely) real mail from someone who happens to be a professional spammer. Look at other RBL's too. Spamcop is a bit more aggressive in some cases, but I've not seen any false positives being rejected. I use combined.njabl.org and list.dsbl.org too. > smtpd_helo_restrictions = > permit_mynetworks, > check_helo_access hash:/etc/postfix/helo_access, Reject anything HELO'ing with your domain name or IP address. I bet a solid 20% of the spam I turn away uses my own IP as HELO. > I am rejecting over 1m connections a day, processing 36k and > delivering 7k (yes, I get HUGE spam). > Of the 7k messages, I would say 65% are false positives. ITYM "spam" not "false positives". I used the term "false positive" above to refer to non-spam ("ham") which was blocked. I think your situation is like Victor said: reject_unknown_client and the HELO reject_whatever_hostname restrictions. Those, like you said, block many misconfigured MTA's. > Any advice/recommendations that could loosen this up but not open the > floodgates? I'm rather sensitive to false positives, myself, and the aforementioned RBL's plus the Security Sage RHSBL are doing a good job for me. In addition to the RBL's I use the joewein.de domain list against client and sender domains. That catches quite a few too. > There are cities, government agencies, etc that are > connecting with systems that don't use fqdn or have a reverse lookup > for the name they do use, or don't have reverse lookup for their Ips. And they're not about to fix it, either. > When I find out about a problem from a user, I try contacting the > sending admin, but with bureaucracy it often does no good. Even if you can reach the responsible party, the chance is slim that the problem will be understood. -- mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header 
|
Linear Mode
