| 1 |
> > Do you think this postfix anti-spam configuration is OK: |
| 2 |
> > |
| 3 |
> > smtpd_delay_reject = yes |
| 4 |
> > smtpd_helo_required = yes |
| 5 |
> > smtpd_helo_restrictions = |
| 6 |
> > permit_mynetworks, |
| 7 |
> > reject_non_fqdn_hostname, |
| 8 |
> > reject_invalid_hostname, |
| 9 |
> > permit |
| 10 |
> |
| 11 |
> I'd be careful with non_fqdn_hostname |
| 12 |
|
| 13 |
What's wrong with that? Here's how the postfix docs describe it: |
| 14 |
|
| 15 |
reject_non_fqdn_helo_hostname (with Postfix < 2.3: reject_non_fqdn_hostname) |
| 16 |
Reject the request when the HELO or EHLO hostname is not in |
| 17 |
fully-qualified domain form, as required by the RFC. |
| 18 |
|
| 19 |
> > smtpd_sender_restrictions = |
| 20 |
> > permit_mynetworks, |
| 21 |
> > reject_non_fqdn_sender, |
| 22 |
> > reject_unknown_sender_domain, |
| 23 |
> > permit |
| 24 |
> > smtpd_recipient_restrictions = |
| 25 |
> > permit_mynetworks, |
| 26 |
> > reject_non_fqdn_recipient, |
| 27 |
> > reject_unknown_recipient_domain, |
| 28 |
> > reject_unauth_destination, |
| 29 |
> > permit |
| 30 |
> |
| 31 |
> That's pretty much what I run and you might want to look at |
| 32 |
> smtpd_data_restrictions as well. |
| 33 |
|
| 34 |
What do you use with smtpd_data_restrictions? I was considering |
| 35 |
reject_unauth_pipelining but the docs have me confused with the "Note" |
| 36 |
below: |
| 37 |
|
| 38 |
reject_unauth_pipelining |
| 39 |
Reject the request when the client sends SMTP commands ahead of time |
| 40 |
where it is not allowed, or when the client sends SMTP commands ahead |
| 41 |
of time without knowing that Postfix actually supports ESMTP command |
| 42 |
pipelining. This stops mail from bulk mail software that improperly |
| 43 |
uses ESMTP command pipelining in order to speed up deliveries. |
| 44 |
Note: reject_unauth_pipelining is not useful outside |
| 45 |
smtpd_data_restrictions when 1) the client uses ESMTP (EHLO instead of |
| 46 |
HELO) and 2) with "smtpd_delay_reject = yes" (the default). The use of |
| 47 |
reject_unauth_pipelining in the other restriction contexts is |
| 48 |
therefore not recommended. |
| 49 |
|
| 50 |
> > Would it be OK to remove the following aliases since I never use them: |
| 51 |
> |
| 52 |
> It's good form to keep them on your server and compile with the relvent |
| 53 |
> RFC which specifies these. |
| 54 |
|
| 55 |
Those aliases must be bringing in some spam though. |
| 56 |
|
| 57 |
- Grant |
| 58 |
-- |
| 59 |
gentoo-user@g.o mailing list |
Archives