Performance

Glenn Steen glenn.steen at gmail.com
Thu Feb 1 02:17:18 CET 2007


On 31/01/07, Peter Russell <pete at enitech.com.au> wrote:
(snip)
> >> PostFix Configuration:
> >> [root at mx1 ~]# postconf -n
> >> canonical_maps = hash:/etc/postfix/canonical
> >> config_directory = /etc/postfix
> >> disable_vrfy_command = yes
> >> hash_queue_names = ""
> >> header_checks = regexp:/etc/postfix/header_checks
> >> masquerade_exceptions = root
> >> message_size_limit = 51200000
> >> mydomain = schmerold.com
> >> myhostname = mx1.schmerold.com
> >> mynetworks = 127.0.0.0/8 65.16.251.208/29
> >> relay_domains = katy.com katy.net katycomputer.com  schmerold.com
> > Why is there no "companion" relay_recipient_maps? You should reject
> > unknown recipients.
> >
> >> smtpd_data_restrictions = reject_unauth_pipelining, permit
> >> smtpd_helo_required = yes
> > Here you should perhaps have a
> > smtpd_helo_restrictions = permit_mynetworks, check_helo_access
> > hash:/etc/postfix/deny_domain_spoof
> > Where the deny_domain_spoof is simply an access file detailing the
> > domains and IP addresses you relay for like "katy.com REJECT". Will be
> > perfectly safe to use.
>
> Glenn - should he have REJECT for domains he relays for?
Yes. The thinking here is to REJECT anyone pretending to be either
your domain (your MX) or any of the "internal/trusted" IP addresses,
unless they really are... The permit_mynetworks take care of not
rejecting things that shouldn't be rejected:).
As said, perfectly safe;-).
This one rejects a few every day.

> I am interested
> in tweaking my postfix config myself. Any chance one fo the postfix
> gurus like your self would post up your main.cf with some comments on
> your anti spam settings?
Will have to sanitise it a bit (don't want to spread any "secrets":-),
but sure... It's really not that exciting reading... I got a lot of it
from the UCE links over at www.postfix.org, with some slight
adaptations to my needs... And to complete the picture one would have
to have some other files too (access maps, perhaps some scripts). I'll
see what I can do over the next few days (am pretty busy with real
work... Providing SSL Explorer (yay!) to the "unwashed masses" at work
(inc yet another upgrade), fiddling a bit with Oracle, testing the
latest MS beta/stable... all for tomorrow. And sqeeze in a doctors
appointment somewhere too):-).

-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se


More information about the MailScanner mailing list