postfix-users October 2010 archive
Main Archive Page > Month Archives  > postfix-users archives
postfix-users: Re: Fighting Backscatter

Re: Fighting Backscatter

From: Jeroen Geilman <jeroen_at_nospam>
Date: Wed Oct 20 2010 - 01:50:17 GMT

On 10/20/2010 03:38 AM, Steve Jenkins wrote:
> THANK YOU Jeroen. J I really appreciate you taking the time to help me
> with some specific steps I can try.

Well, let's say I can provide you with some pointers.
That doesn't absolve you of the responsibility to study the
documentation thoroughly.

> non_smtpd_milters = inet:localhost:20209
> smtpd_milters = inet:localhost:20209

What are all these milters doing ?
Do you *know* ?
How can you use the same service for both smtp and non-smtp milters ?
Presumably, they don't take the same input format.

> smtpd_recipient_restrictions = permit_mynetworks,
> permit_sasl_authenticated, reject_unauth_destination,
> reject_unknown_reverse_client_hostname, warn_if_reject
> reject_non_fqdn_helo_hostname, warn_if_reject
> reject_invalid_helo_hostname, warn_if_reject
> reject_unknown_helo_hostname, reject_unauth_pipelining,
> reject_non_fqdn_sender, reject_unknown_sender_domain,
> reject_non_fqdn_recipient,
> reject_unknown_recipient_domain,
> reject_invalid_hostname, permit

Still missing a good RBL check; check out zen (

> virtual_alias_domains =
> virtual_alias_maps = hash:/etc/postfix/virtual
> The /etc/postfix/virtual is set up as follows. Every line in there is
> either a local POP account or the destination forwarding address. I
> don't use any catch-alls, and prefer that my server reject unknown
> local recipients (or in this case, I should probably say "local").

No, since these are virtual aliases, postfix will reject any *virtual*
recipients that don't appear here.
It makes no judgement on the RHS of the aliases.

> #Family Domain for Mail
> <> steve
> <> sister
> <>
> <>
> <>
> <>
> Like you, I'm also running a pre-2.8 build (2.6.5).

Um. pre-2.8 means I run a pre-release build of postfix 2.8 with the
postscreen code patched in to it.

Postscreen doesn't work on earlier versions, and is still not finalized

> I hadn't heard of postscreen until just now, but I'll check it out.

That would be why. Don't worry about it, you can do fine without.

> Would you mind sharing (anonymized if you wish) some examples of
> permutations of your IP and hostname(s) to reject from your
> helo_access file? What types of permutations are classically used by
> spammers that I can safely block without rejecting legitimate mail?

Just list your literal IP and hostname(s) to start with.
Many spammers try to circumvent remote client restrictions that way.

> *From:*
> [] *On Behalf Of *Jeroen Geilman
> *Sent:* Tuesday, October 19, 2010 7:10 PM
> *To:*
> *Subject:* Re: Fighting Backscatter
> Oh, and please don't top-post.
> J.

And you're still top-posting.

-- J.