Performance
Glenn Steen
glenn.steen at gmail.com
Thu Feb 1 11:10:36 CET 2007
On 01/02/07, Peter Russell <pete at enitech.com.au> wrote:
>
>
> Glenn Steen wrote:
> > On 31/01/07, Peter Russell <pete at enitech.com.au> wrote:
(snip even more)
> >> >> relay_domains = katy.com katy.net katycomputer.com schmerold.com
> >> > Why is there no "companion" relay_recipient_maps? You should reject
> >> > unknown recipients.
> >> >
> >> >> smtpd_data_restrictions = reject_unauth_pipelining, permit
> >> >> smtpd_helo_required = yes
> >> > Here you should perhaps have a
> >> > smtpd_helo_restrictions = permit_mynetworks, check_helo_access
> >> > hash:/etc/postfix/deny_domain_spoof
> >> > Where the deny_domain_spoof is simply an access file detailing the
> >> > domains and IP addresses you relay for like "katy.com REJECT". Will be
> >> > perfectly safe to use.
> >>
> >> Glenn - should he have REJECT for domains he relays for?
> > Yes. The thinking here is to REJECT anyone pretending to be either
> > your domain (your MX) or any of the "internal/trusted" IP addresses,
> > unless they really are... The permit_mynetworks take care of not
> > rejecting things that shouldn't be rejected:).
> > As said, perfectly safe;-).
> > This one rejects a few every day.
>
> Sorry for the questions, but i am trying to stop some of the low scoring
> spam i keep getting through - i am sure some tweaking will get it.
Quite OK.
> How do you check if these have blocked some spam? grep the maillog?
Well more or less:-). It's the beauty of pflogsumm ... It'll summarize
all rejections by at what stage and "reason"... like this (this is for
yesterday):
message reject detail
---------------------
RCPT
Helo command rejected: Access denied (total: 50)
3 83.173.153.170 (clients-865241583854se at nordea.se)
3 83.239.72.30 (wkihudxroacna at dirtydavid.every1.net)
...
(The first one there is a Nordea Phish, or rather three... that I
spend no more resources on;-)
These "Access denied at helo" are the ones trying to pretend they are
us. Similarily you'll get
Helo command rejected: Invalid name (total: 9)
Helo command rejected: need fully-qualified hostname (total: 374)
Recipient address rejected: User unknown in relay recipient table
(total: 233)
Relay access denied (total: 41)
Sender address rejected: Access denied (total: 35)
... All those 700-odd rejections on a total incoming of 3800. Most of
teh above are pretty obviously from "reject_invalid_hostname,
reject_non_fqdn_hostname, reject_non_fqdn_sender,
reject_non_fqdn_recipient", and I also apply the deny_domain_spoof in
the sender_restrictions, which accounts for those 35 rejections.
To keep "on top of things" I've cron'd a couple of pflogsumm runs like this:
3 0 * * * /usr/local/bin/pflsum_yday
10 4 * * 0 /usr/local/bin/pflsum_week
# cat /usr/local/bin/pflsum_yday
#!/bin/bash
# Postfix log summary analysis per yesterday
/bin/cat /var/log/syslog | /usr/local/bin/pflogsumm -i -d yesterday
--problems_first --rej_add_from --zero_fill >
/var/www/html/pflogsumm/pflogsumm-$(date +%Y%m%d).txt 2>&1
# cat /usr/local/bin/pflsum_week
#!/bin/bash
# Postfix log summary analysis per last week
/bin/zcat /var/log/syslog.1.gz | /usr/local/bin/pflogsumm -i
--problems_first --rej_add_from --zero_fill >
/var/www/html/pflogsumm/pflogsumm-week-$(date +%Y%m%d).txt 2>&1
#
And I then have a small PHP script to present those on a webpage...
For my disabled-by-windoze colleagues:-).
> >
> >> I am interested
> >> in tweaking my postfix config myself. Any chance one fo the postfix
> >> gurus like your self would post up your main.cf with some comments on
> >> your anti spam settings?
> > Will have to sanitise it a bit (don't want to spread any "secrets":-),
> > but sure... It's really not that exciting reading... <snip> And sqeeze in a doctors
> > appointment somewhere too):-).
> >
>
> That's cool - just figured some already tested and explained MTA set ups
> would stop some of the easier spam. Appreciate any help you can offer.
> No rush :)
:-)
--
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
More information about the MailScanner
mailing list