[SLL] Postfix anti-spam configuration

Kurt Buff kurt.buff at gmail.com
Tue Jan 16 17:15:17 PST 2007 

On 1/16/07, Jules Agee <julesa at pcf.com> wrote:
> Hi everyone,
> We've been using Sendmail + SpamAssassin on our internet mail gateway
> for years now, and now we're switching to Postfix, postgrey, and SA.
> This is a gateway for a few hundred users, and I want to err on the side
> of caution: zero rejected legitimate messages. I don't use any RBLs for
> outright rejection, I just configure spamassassin to raise the spam
> score on an RBL hit -- conservative all the way. This gateway is
> strictly for incoming Internet mail, I don't expect to see any
> connections directly from mail client software.
>
> What Postfix options have you found to be effective that have a very low
> false positive rate? Can I use all the options below without expecting
> torches and pitchforks at the office door because of rejected legit
> mail? I'll use warn_if_reject at first, to prevent the torches and
> pitchforks scenario, but any comments would be very much appreciated.
>
> disable_vrfy_command = yes
> smtpd_delay_reject = yes
> smtpd_helo_required = yes
> smtpd_helo_restrictions =
>         permit_mynetworks,
>         reject_non_fqdn_hostname,
>         reject_invalid_hostname,
>         check_helo_access hash:/etc/postfix/helo_checks,
>         permit
> # note: helo_checks will just reject localhost, my IP, my hostname
> smtpd_data_restrictions =
>         permit_mynetworks,
>         reject_unauth_pipelining,
>         permit
> smtpd_sender_restrictions =
>         permit_mynetworks,
>         reject_non_fqdn_sender,
>         reject_unknown_sender_domain,
>         permit
> smtpd_recipient_restrictions =
>         permit_mynetworks,
>         reject_non_fqdn_recipient,
>         reject_unknown_recipient_domain,
>         reject_unauth_destination,
>         permit
>
> Thanks!!!
> -Jules

Two suggestions:

1) Get The Book of Postfix (ISBN 1-59327-001-1), which is undergoing a
reprint to correct errors, with a second edition to come soon. This
will get you up and running very quickly, with some excellent
suggestions up front to tighten up your config. Damn fine book, and
I'll be buying the 2nd edition as soon as it comes out.

2) Take a close look at Maia Mailguard
(http://www.renaissoft.com/maia/) - I'll be implementing this, which
fits over the top of Postfix/SpamAssassin/ClamAV/Amavisd-new to
provide lots of goodness, like self-service for end-users. I'm pretty
stoked about it.

Kurt

More information about the linux-list mailing list