Too messages in Hold folder when spamassassin is activated in MailScanner

Israel Garcia igalvarez at gmail.com
Wed Nov 28 13:56:26 GMT 2007


On Nov 28, 2007 5:12 AM, Glenn Steen <glenn.steen at gmail.com> wrote:

> ds climbs when comes a lot of mail to hold folder
> Yes, exactly.
>
> > >
> > > You do reject mail for unknown recipients, right? If not, start doing
> > > that... It will ease things;).
> > yes, I do..
> > from main.cf:
> > local_recipient_maps = unix:passwd.byname $alias_maps
> > smtpd_helo_required = yes
> > disable_vrfy_command = yes
> > strict_rfc821_envelopes = yes
> > invalid_hostname_reject_code = 554
> > multi_recipient_bounce_reject_code = 554
> > non_fqdn_reject_code = 554
> > relay_domains_reject_code = 554
> > unknown_address_reject_code = 554
> > unknown_client_reject_code = 554
> >  unknown_hostname_reject_code = 554
> > unknown_local_recipient_reject_code = 554
> > unknown_relay_recipient_reject_code = 554
> > unknown_sender_reject_code = 554
> > unknown_virtual_alias_reject_code = 554
> > unknown_virtual_mailbox_reject_code = 554
> > unverified_recipient_reject_code = 554
> > unverified_sender_reject_code = 554
> > #
> > smtpd_sender_restrictions =
> >       check_sender_access hash:/etc/postfix/listanegra
> >         reject_non_fqdn_sender
> >         reject_unknown_sender_domain permit
> >
> > smtpd_recipient_restrictions =
> >                 permit_auth_destination
> >                 permit_mynetworks
> >                 reject_non_fqdn_recipient
> >                 reject_unknown_recipient_domain
> >                 reject_unauth_destination
> >             reject_invalid_hostname,
> >             reject_unknown_recipient_domain,
> >             reject_unauth_pipelining,
> >             permit_sasl_authenticated,
> >             reject_unauth_destination,
> >
> >
> Good.
>
> > >
> > > You might also consider using a few RBLs at the MTA level, so that you
> > > reject messages that hit them. If you go for that, choose
> > > wisely...:-).
> > > And look over what ... "RFC strictness" you can enable... and use to
> > > reject junk.
> > What is RFC stricness?
> Pretty much what you do. Instead of blithely accepting malformed SMTP
> conversations, just reject them (being ... strict... about it:-).
> I don't see what helo_rextrictions you have... You might want to do
> something there too... Like
> smtpd_helo_required = yes
> smtpd_helo_restrictions = permit_mynetworks, check_helo_access
> hash:/etc/postfix/deny_domain_spoof
>  ... where the hash to deny domain spoofing contains your domains details:
> example.net REJECT
> 123.456.789.123 REJECT
> ...
> Some will argue that this violates the RFCs, but it really doesn't...
> AFAICS:-).
> Doing this on HELO/EHLO will help a bit more.
>
Well, I did this changes in my main.cf:

smtpd_helo_required = yes
disable_vrfy_command = yes
strict_rfc821_envelopes = yes
invalid_hostname_reject_code = 554
multi_recipient_bounce_reject_code = 554
non_fqdn_reject_code = 554
relay_domains_reject_code = 554
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unknown_sender_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_sender_reject_code = 554

smtpd_sender_restrictions =
      check_sender_access hash:/etc/postfix/listanegra
        reject_non_fqdn_sender
        reject_unknown_sender_domain permit


smtpd_recipient_restrictions =
                permit_auth_destination
                permit_mynetworks
                reject_non_fqdn_recipient
                reject_unknown_recipient_domain
                reject_unauth_destination
                reject_non_fqdn_hostname,
                reject_non_fqdn_sender,
                reject_unknown_sender_domain,
                reject_invalid_hostname,
                reject_unknown_recipient_domain,
                reject_unauth_pipelining,
                permit_sasl_authenticated,
                reject_unauth_destination,
                reject_rbl_client zen.spamhaus.org
                reject_rbl_client list.dsbl.org
                reject_rhsbl_sender dsn.rfc-ignorant.org
                 permit

smtpd_data_restrictions    = reject_unauth_pipelining,
reject_multi_recipient_bounce, permit

smtpd_error_sleep_time = 60
smtpd_soft_error_limit = 60
smtpd_hard_error_limit = 10

And I see now postfix is rejecting a LOT of mail before it gets
mailscanner.. the % of spam have decresed too...I have activated again all
pluggins in MailScanner/Spamassassin and began to monitor if there are some
missing emails... I'll let you know later about the results and posibly send
the list all my config files to help other people with similar problems..:-)

If you think I've missed something in main.cf to stop spam, please let me
know! :-)
 thanks in advance
Israel


>
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20071128/41b5d48d/attachment.html


More information about the MailScanner mailing list