On Nov 28, 2007 5:12 AM, Glenn Steen <<a href="mailto:glenn.steen@gmail.com">glenn.steen@gmail.com</a>> wrote:<br><div class="gmail_quote"><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="Ih2E3d">ds climbs when comes a lot of mail to hold folder<br></div>Yes, exactly.<br><div><div></div><div class="Wj3C7c"><br>> ><br>> > You do reject mail for unknown recipients, right? If not, start doing
<br>> > that... It will ease things;).<br>> yes, I do..<br>> from <a href="http://main.cf" target="_blank">main.cf</a>:<br>> local_recipient_maps = unix:passwd.byname $alias_maps<br>> smtpd_helo_required = yes
<br>> disable_vrfy_command = yes<br>> strict_rfc821_envelopes = yes<br>> invalid_hostname_reject_code = 554<br>> multi_recipient_bounce_reject_code = 554<br>> non_fqdn_reject_code = 554<br>> relay_domains_reject_code = 554
<br>> unknown_address_reject_code = 554<br>> unknown_client_reject_code = 554<br>> unknown_hostname_reject_code = 554<br>> unknown_local_recipient_reject_code = 554<br>> unknown_relay_recipient_reject_code = 554
<br>> unknown_sender_reject_code = 554<br>> unknown_virtual_alias_reject_code = 554<br>> unknown_virtual_mailbox_reject_code = 554<br>> unverified_recipient_reject_code = 554<br>> unverified_sender_reject_code = 554
<br>> #<br>> smtpd_sender_restrictions =<br>> check_sender_access hash:/etc/postfix/listanegra<br>> reject_non_fqdn_sender<br>> reject_unknown_sender_domain permit<br>><br>> smtpd_recipient_restrictions =
<br>> permit_auth_destination<br>> permit_mynetworks<br>> reject_non_fqdn_recipient<br>> reject_unknown_recipient_domain<br>> reject_unauth_destination
<br>> reject_invalid_hostname,<br>> reject_unknown_recipient_domain,<br>> reject_unauth_pipelining,<br>> permit_sasl_authenticated,<br>> reject_unauth_destination,
<br>><br>><br></div></div>Good.<br><div class="Ih2E3d"><br>> ><br>> > You might also consider using a few RBLs at the MTA level, so that you<br>> > reject messages that hit them. If you go for that, choose
<br>> > wisely...:-).<br>> > And look over what ... "RFC strictness" you can enable... and use to<br>> > reject junk.<br>> What is RFC stricness?<br></div>Pretty much what you do. Instead of blithely accepting malformed SMTP
<br>conversations, just reject them (being ... strict... about it:-).<br>I don't see what helo_rextrictions you have... You might want to do<br>something there too... Like<br>smtpd_helo_required = yes<br>smtpd_helo_restrictions = permit_mynetworks, check_helo_access
<br>hash:/etc/postfix/deny_domain_spoof<br> ... where the hash to deny domain spoofing contains your domains details:<br><a href="http://example.net" target="_blank">example.net</a> REJECT<br>123.456.789.123 REJECT<br>...
<br>Some will argue that this violates the RFCs, but it really doesn't... AFAICS:-).<br>Doing this on HELO/EHLO will help a bit more.<br></blockquote><div>Well, I did this changes in my <a href="http://main.cf">main.cf
</a>:<br><br>smtpd_helo_required = yes<br>disable_vrfy_command = yes<br>strict_rfc821_envelopes = yes<br>invalid_hostname_reject_code = 554<br>multi_recipient_bounce_reject_code = 554<br>non_fqdn_reject_code = 554<br>relay_domains_reject_code = 554
<br>unknown_address_reject_code = 554<br>unknown_client_reject_code = 554<br>unknown_hostname_reject_code = 554<br>unknown_local_recipient_reject_code = 554<br>unknown_relay_recipient_reject_code = 554<br>unknown_sender_reject_code = 554
<br>unknown_virtual_alias_reject_code = 554<br>unknown_virtual_mailbox_reject_code = 554<br>unverified_recipient_reject_code = 554<br>unverified_sender_reject_code = 554<br><br>smtpd_sender_restrictions =<br> check_sender_access hash:/etc/postfix/listanegra
<br> reject_non_fqdn_sender<br> reject_unknown_sender_domain permit<br><br><br>smtpd_recipient_restrictions =<br> permit_auth_destination<br> permit_mynetworks<br> reject_non_fqdn_recipient
<br> reject_unknown_recipient_domain<br> reject_unauth_destination<br> reject_non_fqdn_hostname,<br> reject_non_fqdn_sender,<br> reject_unknown_sender_domain,
<br> reject_invalid_hostname,<br> reject_unknown_recipient_domain,<br> reject_unauth_pipelining,<br> permit_sasl_authenticated,<br> reject_unauth_destination,
<br> reject_rbl_client <a href="http://zen.spamhaus.org">zen.spamhaus.org</a><br> reject_rbl_client <a href="http://list.dsbl.org">list.dsbl.org</a><br> reject_rhsbl_sender <a href="http://dsn.rfc-ignorant.org">
dsn.rfc-ignorant.org</a><br> permit<br><br>smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce, permit<br><br>smtpd_error_sleep_time = 60<br>smtpd_soft_error_limit = 60<br>
smtpd_hard_error_limit = 10<br><br>And I see now postfix is rejecting a LOT of mail before it gets mailscanner.. the % of spam have decresed too...I have activated again all pluggins in MailScanner/Spamassassin and began to monitor if there are some missing emails... I'll let you know later about the results and posibly send the list all my config files to help other people with similar problems..:-)
<br><br>If you think I've missed something in <a href="http://main.cf">main.cf</a> to stop spam, please let me know! :-)<br> thanks in advance<br>Israel<br><br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br><br><div><div></div><div class="Wj3C7c">><br></div></div></blockquote></div>