postfix-users October 2010 archive
Main Archive Page > Month Archives  > postfix-users archives
postfix-users: Re: Fighting Backscatter

Re: Fighting Backscatter

From: Jeroen Geilman <jeroen_at_nospam>
Date: Wed Oct 20 2010 - 01:09:41 GMT

On 10/20/2010 02:52 AM, Steve Jenkins wrote:
> I will gladly solve the RIGHT problem. The fact that I'm here looking for
> guidance should demonstrate that I'm looking to do exactly that.
> Unfortunately, I can't simply put "DO NOT forward SPAM" in my and
> have it work. ;) After reading through all the docs and various blog and
> forum posts, and making my best efforts at incorporating what I've learned
> into my configuration, it seems I'm still causing backscatter.

Don't accept mail you cannot deliver. Really, that's Numero Uno.
Proper sender and recipient verification - insofar as is feasible for
your site - goes a long way to prevent that from happening.

> That's exactly why I'm posting on Postfix-users - because I need a little more
> guidance than just "RTFM." :) So if anyone can help me with some SPECIFIC
> steps to take, I'd be very appreciative.
> I posted it initially, but here again is my postconf -n output:
> smtpd_recipient_restrictions = permit_sasl_authenticated,
> reject_unauth_destination, reject_unknown_recipient_domain,
> reject_unknown_sender_domain, reject_non_fqdn_recipient,
> reject_non_fqdn_sender, reject_invalid_hostname, permit_mynetworks, permit

You're missing some of the better spam prevention methods here, such as
decent HELO checks, and an RBL or two.

I'd suggest at least adding reject_unknown_reverse_client_hostname in
there, as well as (testing out)

My personal server uses:

= permit_mynetworks,
check_helo_access hash:/etc/postfix/helo_access,

helo_access contains permutations of my own IP and hostname(s), which I

My zen RBL check is moved to postscreen, since I run a pre-2.8 build.

> smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks,
> reject_unknown_sender_domain

Instead of specifying each restriction set by itself, put them all
together under recipient_restrictions so you can follow along what happens.
It will also log more information.

> virtual_alias_domains =
> virtual_alias_maps = hash:/etc/postfix/virtual

It would be mildly interesting to see what is in those files, since a
virtual_alias_domain is potentially a wildcard recipient domain.

> -----Original Message-----
> From: Wietse Venema []
> Sent: Tuesday, October 19, 2010 5:16 AM
> To: Steve Jenkins
> Cc: Postfix users
> Subject: Re: Fighting Backscatter
> Steve Jenkins:

Oh, and please don't top-post.

-- J.