| Main Archive Page > Month Archives > postfix-users archives |
Re: smtpd_recipient_restrictions -- Best Practices
From: Brian Evans - Postfix List <grknight_at_nospam>Date: Thu Dec 08 2011 - 20:07:47 GMT
To: postfix-users@postfix.org
On 12/8/2011 2:17 PM, Peter L. Berghold wrote:
> smtpd_recipient_restrictions =
> permit_mynetworks,
> permit_auth_destination,
This restriction at this location will IGNORE all RBL lookups when mail
is destined for your system.
I suggest removing it as it is implied if reject_unauth_destination
fails to reject.
> reject_unauth_destination,
> check_sender_access hash:/etc/postfix/access,
> permit_sasl_authenticated,
This placement of permit_sasl_authenticated will only skip checks below
it. Is this what you intend?
> reject_unauth_pipelining,
> reject_non_fqdn_sender,
> reject_non_fqdn_recipient,
> reject_unknown_recipient_domain,
> reject_unkown_helo_hostname,
> reject_invalid_hostname,
> reject_unknown_hostname,
> reject_rbl_client blackholes.easynet.nl,
> reject_rbl_client bl.spamcop.net,
> reject_rbl_client cbl.abuseat.org,
> reject_rbl_client cbl.abuseat.org,
Listing an RBL twice won't increase the chance of it being caught.
> reject_rbl_client dnsbl.njabl.org,
> reject_rbl_client dul.dnsbl.sorbs.net,
> reject_rbl_client hostkarma.junkemailfilter.com=127.0.0.2,
> reject_rbl_client list.dsbl.org,
> reject_rbl_client list.dsbl.org,
Ditto on last comment, plus dsbl.org has been dead a while
> reject_rbl_client multihop.dsbl.org,
> reject_rbl_client opm.blitzed.org,
> reject_rbl_client sbl.spamhaus.org,
> reject_rbl_client sbl-xbl.spamhaus.org,
> permit
Permit at then end is harmless as it is also implied if all others pass.
Suggest reviewing all RBLs. Some are dead, and some can be combined.
zen.spamhaus.org will include (sbl|xbl|pbl).spamhaus.org
xbl.spamhaus.org includes cbl.abuseat.org
Brian