Loading ...
Sorry, an error occurred while loading the content.

Enabling Postscreen

Expand Messages
  • LuKreme
    I ve just updated my postfix install to 2.8 patch 14 (from 2.7) and am looking into enabling postscreen. I ve read the
    Message 1 of 5 , Apr 6, 2013
    • 0 Attachment
      I've just updated my postfix install to 2.8 patch 14 (from 2.7) and am looking into enabling postscreen. I've read the http://www.postfix.org/POSTSCREEN_README.html document, and it looks like I should replace my old rbi checks with the new postscreen_dnsbl_sites value, but what about some of the other checks?

      I'm thinking that things like header checks, mime header checks, pipelining, fan, and several others should go away in preference to postscreen, or am I overestimating the utility of what postscreen can do?


      header_checks = pcre:$config_directory/header_checks.pcre

      mime_header_checks = pcre:$config_directory/mime_headers.pcre

      mydestination = $myhostname, localhost.$mydomain, $mydomain, localhost, ns1.$mydomain, ns2.$mydomain, mail.$mydomain, www.$mydomain, webmail.$mydomain

      smtpd_data_restrictions = reject_unauth_pipelining,
      reject_multi_recipient_bounce,
      check_sender_access hash:$config_directory/backscatter
      permit

      smtpd_error_sleep_time = 28

      smtpd_hard_error_limit = 8

      smtpd_helo_required = yes

      smtpd_helo_restrictions = permit_mynetworks,
      reject_invalid_helo_hostname,
      reject_non_fqdn_helo_hostname,
      permit

      smtpd_recipient_restrictions = reject_non_fqdn_sender,
      reject_non_fqdn_recipient,
      reject_unknown_sender_domain,
      reject_invalid_hostname,
      permit_mynetworks,
      permit_sasl_authenticated,
      reject_unauth_destination,
      reject_unlisted_recipient,
      reject_unlisted_sender,
      reject_unknown_reverse_client_hostname,
      warn_if_reject reject_unknown_client_hostname,
      check_client_access cidr:/var/db/dnswl/postfix-dnswl-permit,
      check_sender_access pcre:$config_directory/sender_access.pcre,
      check_client_access pcre:$config_directory/check_client_fqdn.pcre,
      check_recipient_access pcre:$config_directory/recipient_checks.pcre,
      check_client_access hash:$config_directory/access,
      permit

      --
      When cheese gets its picture taken, what does it say?
    • Wietse Venema
      ... I suggest you don t change your existing spamblocking features. When postscreen doesn t reject the client as a spambot, there are still many other reasons
      Message 2 of 5 , Apr 6, 2013
      • 0 Attachment
        LuKreme:
        >
        > I've just updated my postfix install to 2.8 patch 14 (from 2.7)
        > and am looking into enabling postscreen. I've read the
        > http://www.postfix.org/POSTSCREEN_README.html document, and it
        > looks like I should replace my old rbi checks with the new
        > postscreen_dnsbl_sites value, but what about some of the other
        > checks?

        I suggest you don't change your existing spamblocking features.

        When postscreen doesn't reject the client as a spambot, there are
        still many other reasons why you would want to reject their mail.

        Wietse
      • LuKreme
        ... Really? What is the advantage of polling the RBL at spamhaus again? And aren t reject_unknown_reverse_client_hostname and reject_unlisted_sender redundant
        Message 3 of 5 , Apr 7, 2013
        • 0 Attachment
          In our previous episode (Saturday, 06-Apr-2013), Wietse Venema said:
          > LuKreme:
          >>
          >> I've just updated my postfix install to 2.8 patch 14 (from 2.7)
          >> and am looking into enabling postscreen. I've read the
          >> http://www.postfix.org/POSTSCREEN_README.html document, and it
          >> looks like I should replace my old rbi checks with the new
          >> postscreen_dnsbl_sites value, but what about some of the other
          >> checks?
          >
          > I suggest you don't change your existing spamblocking features.

          Really? What is the advantage of polling the RBL at spamhaus again?

          And aren't reject_unknown_reverse_client_hostname and reject_unlisted_sender redundant in smtpd_recipient_restrictions?

          --
          I know you won't believe it's true I only went with her cuz she looked
          like you
        • Wietse Venema
          ... You re not polling it again. The information is cached in the DNS server. And in the case that the DNSBL lookup result came too late for postscreen, it may
          Message 4 of 5 , Apr 7, 2013
          • 0 Attachment
            LuKreme:
            > In our previous episode (Saturday, 06-Apr-2013), Wietse Venema said:
            > > LuKreme:
            > >>
            > >> I've just updated my postfix install to 2.8 patch 14 (from 2.7)
            > >> and am looking into enabling postscreen. I've read the
            > >> http://www.postfix.org/POSTSCREEN_README.html document, and it
            > >> looks like I should replace my old rbi checks with the new
            > >> postscreen_dnsbl_sites value, but what about some of the other
            > >> checks?
            > >
            > > I suggest you don't change your existing spamblocking features.
            >
            > Really? What is the advantage of polling the RBL at spamhaus again?

            You're not polling it again. The information is cached in the DNS
            server. And in the case that the DNSBL lookup result came too late
            for postscreen, it may still arrive in time for smtpd(8).

            > And aren't reject_unknown_reverse_client_hostname and
            > reject_unlisted_sender redundant in smtpd_recipient_restrictions?

            Please RTFM. postscreen doe snot implement every smtpd feature.

            Wietse
          • LuKreme
            ... Ah, yes, I hand t thought of that. ... I honestly did, and I thought those in particular where ones that would be redundant. I will leave it as it is,
            Message 5 of 5 , Apr 7, 2013
            • 0 Attachment
              In our previous episode (Sunday, 07-Apr-2013), Wietse Venema said:
              > LuKreme:
              >> In our previous episode (Saturday, 06-Apr-2013), Wietse Venema said:
              >>> LuKreme:
              >>>>
              >>>> I've just updated my postfix install to 2.8 patch 14 (from 2.7)
              >>>> and am looking into enabling postscreen. I've read the
              >>>> http://www.postfix.org/POSTSCREEN_README.html document, and it
              >>>> looks like I should replace my old rbi checks with the new
              >>>> postscreen_dnsbl_sites value, but what about some of the other
              >>>> checks?
              >>>
              >>> I suggest you don't change your existing spamblocking features.
              >>
              >> Really? What is the advantage of polling the RBL at spamhaus again?
              >
              > You're not polling it again. The information is cached in the DNS
              > server. And in the case that the DNSBL lookup result came too late
              > for postscreen, it may still arrive in time for smtpd(8).

              Ah, yes, I hand't thought of that.

              >> And aren't reject_unknown_reverse_client_hostname and
              >> reject_unlisted_sender redundant in smtpd_recipient_restrictions?
              >
              > Please RTFM. postscreen doe snot implement every smtpd feature.

              I honestly did, and I thought those in particular where ones that would be redundant. I will leave it as it is, thanks.


              --
              A good friend will come and bail you out of jail but a true friend will
              be sitting next to you saying, "Dang, that was fun."
            Your message has been successfully submitted and would be delivered to recipients shortly.