View Single Post
  #6  
Old 28th May 2013, 13:05
monkfish monkfish is offline
HowtoForge Supporter
 
Join Date: Mar 2013
Posts: 106
Thanks: 9
Thanked 15 Times in 14 Posts
Default

Check out settings in main.cf

From an installation done yesterday the stock settings look like this:

Code:
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination
There are, however a number of different restriction streams that can be set. The tighter the policy the more trouble a rogue email has getting through. But the same is also true of valid emails... watch your logs!

This page here gives a rather good description of the various postfix smtp restrictions available http://wiki.centos.org/HowTos/postfix_restrictions

One of my dev boxes looks like this instead

Code:
smtpd_helo_restrictions =
  permit_mynetworks,
  permit_sasl_authenticated,
  reject_invalid_helo_hostname,
  reject_non_fqdn_helo_hostname,

smtpd_sender_restrictions =
  permit_mynetworks
  permit_sasl_authenticated
  reject_non_fqdn_sender
  reject_unknown_sender_domain

smtpd_recipient_restrictions =
    reject_invalid_hostname,
    reject_non_fqdn_hostname,
    reject_non_fqdn_recipient,
    reject_unknown_recipient_domain,
    reject_unauth_pipelining,
    permit_mynetworks,
    permit_sasl_authenticated,
    check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf,
    reject_unauth_destination,
    reject_rbl_client multi.uribl.com,
    reject_rbl_client dsn.rfc-ignorant.org,
    reject_rbl_client dul.dnsbl.sorbs.net,
    reject_rbl_client zen.spamhaus.org,
    reject_rbl_client bl.spamcop.net,
    reject_rbl_client cbl.abuseat.org,
    reject_rbl_client combined.rbl.msrbl.net,
    reject_rbl_client b.barracudacentral.org
Watch out if you see a reference to using "reject_unknown_helo_hostname" - if this is set you may end up losing legitimate emails as quite a few mail servers out there do not identify themselves properly and fall foul of this setting. Especially servers behind NAT'd firewalls that send an "internal dns name" for a helo - cannot be resolved on the public internet.

A few linkys here:-
http://www.howtoforge.com/hardening-...or-ispconfig-3
http://support4hosting.wordpress.com...-blacklisting/

For most of the restriction settings you can use "warn_if_reject" instead so although a message will be passed by the MTA an entry will be placed in maillog showing that it would have been rejected.

Good luck with your upgrade!
Reply With Quote