Performance

Peter Russell pete at enitech.com.au
Fri Feb 2 00:23:35 CET 2007



Glenn Steen wrote:
> On 01/02/07, Peter Russell <pete at enitech.com.au> wrote:
>>
>>
>> Glenn Steen wrote:
>> > On 31/01/07, Peter Russell <pete at enitech.com.au> wrote:
> (snip even more)
>> >> >> relay_domains = katy.com katy.net katycomputer.com  schmerold.com
>> >> > Why is there no "companion" relay_recipient_maps? You should reject
>> >> > unknown recipients.
>> >> >
>> >> >> smtpd_data_restrictions = reject_unauth_pipelining, permit
>> >> >> smtpd_helo_required = yes
>> >> > Here you should perhaps have a
>> >> > smtpd_helo_restrictions = permit_mynetworks, check_helo_access
>> >> > hash:/etc/postfix/deny_domain_spoof
>> >> > Where the deny_domain_spoof is simply an access file detailing the
>> >> > domains and IP addresses you relay for like "katy.com REJECT". 
>> Will be
>> >> > perfectly safe to use.
>> >>
>> >> Glenn - should he have REJECT for domains he relays for?
>> > Yes. The thinking here is to REJECT anyone pretending to be either
>> > your domain (your MX) or any of the "internal/trusted" IP addresses,
>> > unless they really are... The permit_mynetworks take care of not
>> > rejecting things that shouldn't be rejected:).
>> > As said, perfectly safe;-).
>> > This one rejects a few every day.

Thanks Glenn, i implemented the changes you suggested and now i get 
legitimate hosts being blocked.

postfix/smtpd[10874]: warning: 203.35.216.230: hostname 
gateway.davidjones.com.au verification failed: Name or service not known

I will leave off making any more MTA changes until one of the clever 
cloggs can post up some tips...

Thanks
Pete


More information about the MailScanner mailing list