Postfix Mac Aministration

classic Classic list List threaded Threaded
18 messages Options
Reply | Threaded
Open this post in threaded view
|

Postfix Mac Aministration

Eric Lemings-3
Greetings,

Can anyone point me to some good guides/tutorials for configuring Postfix on Mac systems?  In particular, I'm trying to stop spam in its tracks.  I've tried using the Server app and the older Server Admin app.  I've even tried manually editing the Postfix config files by hand.  Nothing seems to work.  I still get hundreds of junk mails.  (I have really old email addresses.)

Any pointers, tips, links appreciated greatly.

Eric.

Reply | Threaded
Open this post in threaded view
|

Re: Postfix Mac Aministration

Stan Hoeppner
On 1/4/2012 11:31 AM, Eric Lemings wrote:
> Greetings,
>
> Can anyone point me to some good guides/tutorials for configuring Postfix on Mac systems?  In particular, I'm trying to stop spam in its tracks.  I've tried using the Server app and the older Server Admin app.  I've even tried manually editing the Postfix config files by hand.  Nothing seems to work.  I still get hundreds of junk mails.  (I have really old email addresses.)
>
> Any pointers, tips, links appreciated greatly.

First, please supply 'postconf -n' output, as you were directed in the
list welcome message.  This allows us to see how you are currently
configured so we can recommend changes that work with your particular
setup, and help you fix anything that's not currently correct.

Also, post the output of following command:

$ postconf |grep 'mail_version ='


--
Stan
Reply | Threaded
Open this post in threaded view
|

Re: Postfix Mac Aministration

Eric Lemings-3

Here's my Postfix configuration:

[root@myhost myuser]$ postconf -n
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
enable_server_options = yes
header_checks = pcre:/etc/postfix/custom_header_checks
html_directory = /usr/share/doc/postfix/html
imap_submit_cred_file = /private/etc/postfix/submit.cred
inet_interfaces = all
local_recipient_maps = proxy:unix:passwd.byname $alias_maps
mail_owner = _postfix
mailbox_size_limit = 0
mailbox_transport = dovecot
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
maps_rbl_domains =
message_size_limit = 0
mydestination = $myhostname, localhost.$mydomain, localhost, myhost, $mydomain, mail
mydomain = lemings.com
mydomain_fallback = localhost
myhostname = mail.lemings.com
mynetworks = 127.0.0.0/8,192.168.0.0/16
newaliases_path = /usr/bin/newaliases
postscreen_dnsbl_sites = zen.spamhaus.org*2 rbl-plus.mail-abuse.org bl.spamcop.net
queue_directory = /private/var/spool/postfix
readme_directory = /usr/share/doc/postfix
recipient_canonical_maps = hash:/etc/postfix/system_user_maps
recipient_delimiter = +
relayhost =
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = _postdrop
smtp_sasl_auth_enable = no
smtp_sasl_password_maps =
smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated reject_rbl_client zen.spamhaus.org reject_rbl_client rbl-plus.mail-abuse.org reject_rbl_client bl.spamcop.net permit
smtpd_enforce_tls = no
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,    check_helo_access         hash:/etc/postfix/helo_access,    reject_non_fqdn_helo_hostname,    reject_invalid_helo_hostname,    permit
smtpd_pw_server_security_options = cram-md5,gssapi,login,plain
smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks  reject_unauth_destination check_policy_service unix:private/policy permit
smtpd_sasl_auth_enable = yes
smtpd_tls_CAfile = /etc/certificates/myhost.lemings.com.F10D537E0CACDAC26C86B0FAA5A3E24477F0F6A3.chain.pem
smtpd_tls_cert_file = /etc/certificates/myhost.lemings.com.F10D537E0CACDAC26C86B0FAA5A3E24477F0F6A3.cert.pem
smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL
smtpd_tls_key_file = /etc/certificates/myhost.lemings.com.F10D537E0CACDAC26C86B0FAA5A3E24477F0F6A3.key.pem
smtpd_use_pw_server = yes
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
use_sacl_cache = yes
virtual_alias_maps = $virtual_maps

[root@cyberia myuser]$ postconf | grep 'mail_version ='
mail_version = 2.8.4


On Jan 4, 2012, at 12:12 PM, Stan Hoeppner wrote:

> On 1/4/2012 11:31 AM, Eric Lemings wrote:
>> Greetings,
>>
>> Can anyone point me to some good guides/tutorials for configuring Postfix on Mac systems?  In particular, I'm trying to stop spam in its tracks.  I've tried using the Server app and the older Server Admin app.  I've even tried manually editing the Postfix config files by hand.  Nothing seems to work.  I still get hundreds of junk mails.  (I have really old email addresses.)
>>
>> Any pointers, tips, links appreciated greatly.
>
> First, please supply 'postconf -n' output, as you were directed in the
> list welcome message.  This allows us to see how you are currently
> configured so we can recommend changes that work with your particular
> setup, and help you fix anything that's not currently correct.
>
> Also, post the output of following command:
>
> $ postconf |grep 'mail_version ='
>
>
> --
> Stan

Reply | Threaded
Open this post in threaded view
|

Re: Postfix Mac Aministration

Eric Lemings-3

I just noticed that two of my Postfix configuration variables were set twice, the latter of which was overriding the former.  Here's the new values:

smtpd_client_restrictions = permit_mynetworks    permit_sasl_authenticated    reject_rbl_client zen.spamhaus.org    reject_rbl_client rbl-plus.mail-abuse.org    reject_rbl_client bl.spamcop.net    permit
smtpd_recipient_restrictions = reject_unauth_pipelining,    reject_non_fqdn_recipient,    reject_unknown_recipient_domain,    permit_mynetworks,    permit_sasl_authenticated,    reject_unauth_destination,    reject_rbl_client relays.ordb.org,    reject_rbl_clientlist.dsbl.org,    reject_rbl_client sbl-xbl.spamhaus.org,    check_policy_service unix:private/policy,    permit

On Jan 4, 2012, at 6:21 PM, Eric Lemings wrote:


Here's my Postfix configuration:

[root@myhost myuser]$ postconf -n
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
enable_server_options = yes
header_checks = pcre:/etc/postfix/custom_header_checks
html_directory = /usr/share/doc/postfix/html
imap_submit_cred_file = /private/etc/postfix/submit.cred
inet_interfaces = all
local_recipient_maps = proxy:unix:passwd.byname $alias_maps
mail_owner = _postfix
mailbox_size_limit = 0
mailbox_transport = dovecot
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
maps_rbl_domains =
message_size_limit = 0
mydestination = $myhostname, localhost.$mydomain, localhost, myhost, $mydomain, mail
mydomain = lemings.com
mydomain_fallback = localhost
myhostname = mail.lemings.com
mynetworks = 127.0.0.0/8,192.168.0.0/16
newaliases_path = /usr/bin/newaliases
postscreen_dnsbl_sites = zen.spamhaus.org*2 rbl-plus.mail-abuse.org bl.spamcop.net
queue_directory = /private/var/spool/postfix
readme_directory = /usr/share/doc/postfix
recipient_canonical_maps = hash:/etc/postfix/system_user_maps
recipient_delimiter = +
relayhost =
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = _postdrop
smtp_sasl_auth_enable = no
smtp_sasl_password_maps =
smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated reject_rbl_client zen.spamhaus.org reject_rbl_client rbl-plus.mail-abuse.org reject_rbl_client bl.spamcop.net permit
smtpd_enforce_tls = no
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,    check_helo_access         hash:/etc/postfix/helo_access,    reject_non_fqdn_helo_hostname,    reject_invalid_helo_hostname,    permit
smtpd_pw_server_security_options = cram-md5,gssapi,login,plain
smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks  reject_unauth_destination check_policy_service unix:private/policy permit
smtpd_sasl_auth_enable = yes
smtpd_tls_CAfile = /etc/certificates/myhost.lemings.com.F10D537E0CACDAC26C86B0FAA5A3E24477F0F6A3.chain.pem
smtpd_tls_cert_file = /etc/certificates/myhost.lemings.com.F10D537E0CACDAC26C86B0FAA5A3E24477F0F6A3.cert.pem
smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL
smtpd_tls_key_file = /etc/certificates/myhost.lemings.com.F10D537E0CACDAC26C86B0FAA5A3E24477F0F6A3.key.pem
smtpd_use_pw_server = yes
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
use_sacl_cache = yes
virtual_alias_maps = $virtual_maps

[root@cyberia myuser]$ postconf | grep 'mail_version ='
mail_version = 2.8.4


On Jan 4, 2012, at 12:12 PM, Stan Hoeppner wrote:

On 1/4/2012 11:31 AM, Eric Lemings wrote:
Greetings,

Can anyone point me to some good guides/tutorials for configuring Postfix on Mac systems?  In particular, I'm trying to stop spam in its tracks.  I've tried using the Server app and the older Server Admin app.  I've even tried manually editing the Postfix config files by hand.  Nothing seems to work.  I still get hundreds of junk mails.  (I have really old email addresses.)

Any pointers, tips, links appreciated greatly.

First, please supply 'postconf -n' output, as you were directed in the
list welcome message.  This allows us to see how you are currently
configured so we can recommend changes that work with your particular
setup, and help you fix anything that's not currently correct.

Also, post the output of following command:

$ postconf |grep 'mail_version ='


--
Stan


Reply | Threaded
Open this post in threaded view
|

Re: Postfix Mac Aministration

jeffrey j donovan
In reply to this post by Eric Lemings-3

On Jan 4, 2012, at 8:21 PM, Eric Lemings wrote:

>
> Here's my Postfix configuration:
>
> [root@myhost myuser]$ postconf -n
> snip
> On Jan 4, 2012, at 12:12 PM, Stan Hoeppner wrote:
>
>> On 1/4/2012 11:31 AM, Eric Lemings wrote:
>>> Greetings,
>>>
>>> Can anyone point me to some good guides/tutorials for configuring Postfix on Mac systems?  In particular, I'm trying to stop spam in its tracks.  I've tried using the Server app and the older Server Admin app.  I've even tried manually editing the Postfix config files by hand.  Nothing seems to work.  I still get hundreds of junk mails.  (I have really old email addresses.)
>>>
>>> Any pointers, tips, links appreciated greatly.
>>
>> First, please supply 'postconf -n' output, as you were directed in the
>> list welcome message.  This allows us to see how you are currently
>> configured so we can recommend changes that work with your particular
>> setup, and help you fix anything that's not currently correct.
>>
>> Also, post the output of following command:
>>
>> $ postconf |grep 'mail_version ='
>>
>>
>> --
>> Stan
>

Greetings

check out the docs and setup tutorials on http://osx.topicdesk.com/

specifically http://downloads.topicdesk.com/docs/Frontline_Spam_Defense_for_Mail_in_Mac_OS_X.pdf

then come back and we can help you with postfix specific. I can aid you off list with osx stuff.
This doc hasn't been updated since 2007 however it covers the basics.

-j
Reply | Threaded
Open this post in threaded view
|

Re: Postfix Mac Aministration

/dev/rob0
In reply to this post by Eric Lemings-3
On Wednesday 04 January 2012 20:45:23 Eric Lemings wrote:
> I just noticed that two of my Postfix configuration variables were
> set twice, the latter of which was overriding the former.  Here's
> the new values:

The list policy asks for "postconf -n" because that reports values
Postfix is actually using.
 
> smtpd_client_restrictions = permit_mynetworks  
> permit_sasl_authenticated    reject_rbl_client zen.spamhaus.org  
> reject_rbl_client rbl-plus.mail-abuse.org    reject_rbl_client
> bl.spamcop.net    permit

MAPS RBL is a paid service only, but I suppose you knew that.

> smtpd_recipient_restrictions =

BTW "client" != "recipient", in case that is what you meant by
duplicated settings. They are different settings, but functionally
similar. You could consolidate all of your restrictions into
smtpd_recipient_restrictions. Unless you need complex whitelisting,
it's usually easier that way, to only maintain one set of
restrictions.

> reject_unauth_pipelining,    reject_non_fqdn_recipient,  
> reject_unknown_recipient_domain,    permit_mynetworks,  
> permit_sasl_authenticated,    reject_unauth_destination,  
> reject_rbl_client relays.ordb.org,  
> reject_rbl_clientlist.dsbl.org,

Both of these are LONG dead and gone, so maybe you did not know about
MAPS RBL? Also, you have no space there. Furthermore, you pasted your
"postconf -n", and it shows a different setting of
smtpd_recipient_restrictions. We believe what postconf(1) tells us.

> reject_rbl_client sbl-xbl.spamhaus.org, check_policy_service

Zen has superceded sbl-xbl.spamhaus.org, which both below and above,
you say you are using.

> unix:private/policy,  permit
>
> On Jan 4, 2012, at 6:21 PM, Eric Lemings wrote:
> > Here's my Postfix configuration:
> >
> > [root@myhost myuser]$ postconf -n
> > command_directory = /usr/sbin
> > config_directory = /etc/postfix
> > content_filter = smtp-amavis:[127.0.0.1]:10024
> > daemon_directory = /usr/libexec/postfix
> > debug_peer_level = 2
> > enable_server_options = yes
> > header_checks = pcre:/etc/postfix/custom_header_checks
> > html_directory = /usr/share/doc/postfix/html
> > imap_submit_cred_file = /private/etc/postfix/submit.cred
> > inet_interfaces = all
> > local_recipient_maps = proxy:unix:passwd.byname $alias_maps
> > mail_owner = _postfix
> > mailbox_size_limit = 0
> > mailbox_transport = dovecot
> > mailq_path = /usr/bin/mailq
> > manpage_directory = /usr/share/man
> > maps_rbl_domains =
> > message_size_limit = 0
> > mydestination = $myhostname, localhost.$mydomain, localhost,
> > myhost, $mydomain, mail mydomain = lemings.com
> > mydomain_fallback = localhost
> > myhostname = mail.lemings.com
> > mynetworks = 127.0.0.0/8,192.168.0.0/16
> > newaliases_path = /usr/bin/newaliases
> > postscreen_dnsbl_sites = zen.spamhaus.org*2
> > rbl-plus.mail-abuse.org bl.spamcop.net
> > queue_directory = /private/var/spool/postfix
> > readme_directory = /usr/share/doc/postfix
> > recipient_canonical_maps = hash:/etc/postfix/system_user_maps
> > recipient_delimiter = +
> > relayhost =
> > sample_directory = /usr/share/doc/postfix/examples
> > sendmail_path = /usr/sbin/sendmail
> > setgid_group = _postdrop
> > smtp_sasl_auth_enable = no
> > smtp_sasl_password_maps =
> > smtpd_client_restrictions = permit_mynetworks
> > permit_sasl_authenticated reject_rbl_client zen.spamhaus.org
> > reject_rbl_client rbl-plus.mail-abuse.org reject_rbl_client
> > bl.spamcop.net permit smtpd_enforce_tls = no
> > smtpd_helo_required = yes
> > smtpd_helo_restrictions = permit_mynetworks,    check_helo_access
> > hash:/etc/postfix/helo_access, reject_non_fqdn_helo_hostname,
> > reject_invalid_helo_hostname, permit
> > smtpd_pw_server_security_options = cram-md5,gssapi,login,plain
> > smtpd_recipient_restrictions =
> > permit_sasl_authenticated permit_mynetworks
> > reject_unauth_destination check_policy_service
> > unix:private/policy permit
> > smtpd_sasl_auth_enable = yes
> > smtpd_tls_CAfile =
> > /etc/certificates/myhost.lemings.com.F10D537E0CACDAC26C86B0FAA5A
> > 3E24477F0F6A3.chain.pem
> > smtpd_tls_cert_file =
> > /etc/certificates/myhost.lemings.com.F10D537E0CACDAC26C86B0FAA5A
> > 3E24477F0F6A3.cert.pem
> > smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL
> > smtpd_tls_key_file =
> > /etc/certificates/myhost.lemings.com.F10D537E0CACDAC26C86B0FAA5A
> > 3E24477F0F6A3.key.pem
> > smtpd_use_pw_server = yes
> > smtpd_use_tls = yes
> > strict_rfc821_envelopes = yes
> > tls_random_source = dev:/dev/urandom
> > unknown_local_recipient_reject_code = 550
> > use_sacl_cache = yes
> > virtual_alias_maps = $virtual_maps
> >
> > [root@cyberia myuser]$ postconf | grep 'mail_version ='
> > mail_version = 2.8.4
> >
> > On Jan 4, 2012, at 12:12 PM, Stan Hoeppner wrote:
> >> On 1/4/2012 11:31 AM, Eric Lemings wrote:
> >>> Greetings,
> >>>
> >>> Can anyone point me to some good guides/tutorials for
> >>> configuring Postfix on Mac systems?  In particular, I'm trying
> >>> to stop spam in its tracks.  I've tried using the Server app
> >>> and the older Server Admin app.  I've even tried manually
> >>> editing the Postfix config files by hand.  Nothing seems to
> >>> work.  I still get hundreds of junk mails.  (I have really old
> >>> email addresses.)
> >>>
> >>> Any pointers, tips, links appreciated greatly.

I could suggest signing up for the Barracuda BRBL and using Spam-
eating Monkey, and could nitpick some of the postconf, but overall
it's not that bad, you have sane and strong antispam controls in
place. Maybe share logs and samples of the spam you got?

One WAG I came up with: are you using a DNS forwarder which is
probably blocked by Spamhaus? Try testing, from the Postfix host:
  $ dig 2.0.0.127.zen.spamhaus.org. any
This should return their test records. Compare with NXDOMAIN here:
  $ dig 2.0.0.127.zen.spamhaus.org. any @8.8.4.4

> >> First, please supply 'postconf -n' output, as you were directed
> >> in the list welcome message.  This allows us to see how you are
> >> currently configured so we can recommend changes that work with
> >> your particular setup, and help you fix anything that's not
> >> currently correct.
> >>
> >> Also, post the output of following command:
> >>
> >> $ postconf |grep 'mail_version ='

(Stan, UUOG, that can be simply "postconf mail_version" :) )
--
  http://rob0.nodns4.us/ -- system administration and consulting
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
Reply | Threaded
Open this post in threaded view
|

Re: Postfix Mac Aministration

Eric Lemings-3

On Jan 4, 2012, at 9:54 PM, /dev/rob0 wrote:

> On Wednesday 04 January 2012 20:45:23 Eric Lemings wrote:
>> I just noticed that two of my Postfix configuration variables were
>> set twice, the latter of which was overriding the former.  Here's
>> the new values:
>
> The list policy asks for "postconf -n" because that reports values
> Postfix is actually using.
>
>> smtpd_client_restrictions = permit_mynetworks  
>> permit_sasl_authenticated    reject_rbl_client zen.spamhaus.org  
>> reject_rbl_client rbl-plus.mail-abuse.org    reject_rbl_client
>> bl.spamcop.net    permit
>
> MAPS RBL is a paid service only, but I suppose you knew that.
>
>> smtpd_recipient_restrictions =
>
> BTW "client" != "recipient", in case that is what you meant by
> duplicated settings. They are different settings, but functionally
> similar. You could consolidate all of your restrictions into
> smtpd_recipient_restrictions. Unless you need complex whitelisting,
> it's usually easier that way, to only maintain one set of
> restrictions.
>
>> reject_unauth_pipelining,    reject_non_fqdn_recipient,  
>> reject_unknown_recipient_domain,    permit_mynetworks,  
>> permit_sasl_authenticated,    reject_unauth_destination,  
>> reject_rbl_client relays.ordb.org,  
>> reject_rbl_clientlist.dsbl.org,
>
> Both of these are LONG dead and gone, so maybe you did not know about
> MAPS RBL? Also, you have no space there. Furthermore, you pasted your
> "postconf -n", and it shows a different setting of
> smtpd_recipient_restrictions. We believe what postconf(1) tells us.

When I first captured the output from postconf -n, I noticed afterwards that both variables were set twice in the Postfix main.cf file.  Something like this:

....
smtpd_client_restrictions = <values I wrote myself>
smtpd_recipient_restrictions = <values I wrote myself>
...
smtpd_client_restrictions = <basic settings written by Server app or some other Mac admin tool>
smtpd_recipient_restrictions = <basic settings written by Server app or some other Mac admin tool>

I remove the last variables whose values were shown in the first post, then reposted the new values.

This change seems to have been my missing link.  Since I made it, spam arriving in IMAP boxes has dropped drastically in the past several hours.

The RBL sites come from various Postfix tutorials on the web, many of which are getting woefully dated.  Thanks for the updates.

Eric.

Reply | Threaded
Open this post in threaded view
|

Re: Postfix Mac Aministration

Stan Hoeppner
In reply to this post by /dev/rob0
On 1/4/2012 10:54 PM, /dev/rob0 wrote:

> You could consolidate all of your restrictions into
> smtpd_recipient_restrictions. Unless you need complex whitelisting,
> it's usually easier that way, to only maintain one set of
> restrictions.

I recommend this as well.  For me it's much easier to work with and
debug.  I find it actually works better for complex whitelisting.

> Zen has superceded sbl-xbl.spamhaus.org, which both below and above,
> you say you are using.

It appears none of your current dnsbls target snowshoe spam.  I'd
recommend adding Spamhaus' DBL to your config:

smtpd_recipient_restrictions =
        ...
        reject_rhsbl_client dbl.spamhaus.org
        reject_rhsbl_sender dbl.spamhaus.org
        reject_rhsbl_helo dbl.spamhaus.org
        ...

> I could suggest signing up for the Barracuda BRBL and using Spam-
> eating Monkey, and could nitpick some of the postconf, but overall
> it's not that bad, you have sane and strong antispam controls in
> place. Maybe share logs and samples of the spam you got?

BRBL seems to be pretty effective these days so I 2nd that rec. A few
log snippets of the spam connections are always helpful as different
types of spam sources requires different countermeasures.

> One WAG I came up with: are you using a DNS forwarder which is
> probably blocked by Spamhaus? Try testing, from the Postfix host:
>   $ dig 2.0.0.127.zen.spamhaus.org. any
> This should return their test records. Compare with NXDOMAIN here:
>   $ dig 2.0.0.127.zen.spamhaus.org. any @8.8.4.4

This is one of many reasons it's usually best to run your own caching
resolver on a single MX mail host, such as pdns recursor or unbound.
Having your own resolver makes troubleshooting dns related issues much
easier, and avoids problems such as Rob mentions here.  On a single MX
host the resolver eats miniscule resources.  Tons of upside to running
one, zero downside.

http://doc.powerdns.com/built-in-recursor.html
http://unbound.net/

I'm not an OSX or *BSD user, but I can say that one or both of these are
provided as binary packages in most, if not all, Linux distributions.
You could use bind as well but these are typically easier to work with.

> (Stan, UUOG, that can be simply "postconf mail_version" :) )

Heh, thx Rob.  Already pointed out to me off list.  99/100 times my use
of postconf is with -q option to test new pcres or other tables.  I
rarely use postconf for anything else, as I simply haven't needed to,
and it shows. :)

--
Stan
Reply | Threaded
Open this post in threaded view
|

Re: Postfix Mac Aministration

Stan Hoeppner
In reply to this post by Eric Lemings-3
On 1/5/2012 12:46 AM, Eric Lemings wrote:

> The RBL sites come from various Postfix tutorials on the web, many of which are getting woefully dated.  Thanks for the updates.

First, please use the generic term "dnsbl" instead of "RBL".  RBL is a
copyrighted/trademarked term specific to MAPS Corporation.

Regarding the various Postfix tutorials scattered all over the web, yes,
many are very outdated.  I wouldn't necessarily trust the dnsbls listed
in them if the article is more than a few years old as dnsbls tend to
come and go.  Often when they die they end up listing "the world" which
may cause your MTA to reject all mail.

Typing spam source IP addresses into this:
http://www.mxtoolbox.com/blacklists.aspx

will show if the IP is listed by any of 100 or so active dnsbls.  You
can then research those that seem to "catch your spam" regularly, and
add them to your config, if you like their listings and management
policies.  Most listed are free of charge, some require a subscription.

As a general rule, you should kill spam by any and all other means
within Postfix _before_ querying a remote dnsbl.  The reasons are two fold:

1.  MTA latency is lower, overall performance higher
2.  dnsbl operator network overhead is lower

--
Stan
Reply | Threaded
Open this post in threaded view
|

Re: Postfix Mac Aministration

Eric Lemings-3
In reply to this post by Eric Lemings-3

On Jan 4, 2012, at 11:46 PM, Eric Lemings <[hidden email]> wrote:

>
> On Jan 4, 2012, at 9:54 PM, /dev/rob0 wrote:
>
>> On Wednesday 04 January 2012 20:45:23 Eric Lemings wrote:
>>> I just noticed that two of my Postfix configuration variables were
>>> set twice, the latter of which was overriding the former.  Here's
>>> the new values:
>>
>> The list policy asks for "postconf -n" because that reports values
>> Postfix is actually using.
>>
>>> smtpd_client_restrictions = permit_mynetworks  
>>> permit_sasl_authenticated    reject_rbl_client zen.spamhaus.org  
>>> reject_rbl_client rbl-plus.mail-abuse.org    reject_rbl_client
>>> bl.spamcop.net    permit
>>
>> MAPS RBL is a paid service only, but I suppose you knew that.
>>
>>> smtpd_recipient_restrictions =
>>
>> BTW "client" != "recipient", in case that is what you meant by
>> duplicated settings. They are different settings, but functionally
>> similar. You could consolidate all of your restrictions into
>> smtpd_recipient_restrictions. Unless you need complex whitelisting,
>> it's usually easier that way, to only maintain one set of
>> restrictions.
>>
>>> reject_unauth_pipelining,    reject_non_fqdn_recipient,  
>>> reject_unknown_recipient_domain,    permit_mynetworks,  
>>> permit_sasl_authenticated,    reject_unauth_destination,  
>>> reject_rbl_client relays.ordb.org,  
>>> reject_rbl_clientlist.dsbl.org,
>>
>> Both of these are LONG dead and gone, so maybe you did not know about
>> MAPS RBL? Also, you have no space there. Furthermore, you pasted your
>> "postconf -n", and it shows a different setting of
>> smtpd_recipient_restrictions. We believe what postconf(1) tells us.
>
> When I first captured the output from postconf -n, I noticed afterwards that both variables were set twice in the Postfix main.cf file.  Something like this:
>
> ....
> smtpd_client_restrictions = <values I wrote myself>
> smtpd_recipient_restrictions = <values I wrote myself>
> ...
> smtpd_client_restrictions = <basic settings written by Server app or some other Mac admin tool>
> smtpd_recipient_restrictions = <basic settings written by Server app or some other Mac admin tool>
>
> I remove the last variables whose values were shown in the first post, then reposted the new values.
>
> This change seems to have been my missing link.  Since I made it, spam arriving in IMAP boxes has dropped drastically in the past several hours.

Well I spoke too soon.  The flood of spam started again this morning.  

Obviously something isn't working.  All testimonials I've read say that grey listing stops 90% of spam but its not working.

Eric.

> The RBL sites come from various Postfix tutorials on the web, many of which are getting woefully dated.  Thanks for the updates.
>
> Eric.
>
Reply | Threaded
Open this post in threaded view
|

Re: Postfix Mac Aministration

Simon Brereton-2
On 5 January 2012 11:24, Eric Lemings <[hidden email]> wrote:

>
> On Jan 4, 2012, at 11:46 PM, Eric Lemings <[hidden email]> wrote:
>
>>
>> On Jan 4, 2012, at 9:54 PM, /dev/rob0 wrote:
>>
>>> On Wednesday 04 January 2012 20:45:23 Eric Lemings wrote:
>>>> I just noticed that two of my Postfix configuration variables were
>>>> set twice, the latter of which was overriding the former.  Here's
>>>> the new values:
>>>
>>> The list policy asks for "postconf -n" because that reports values
>>> Postfix is actually using.
>>>
>>>> smtpd_client_restrictions = permit_mynetworks
>>>> permit_sasl_authenticated    reject_rbl_client zen.spamhaus.org
>>>> reject_rbl_client rbl-plus.mail-abuse.org    reject_rbl_client
>>>> bl.spamcop.net    permit
>>>
>>> MAPS RBL is a paid service only, but I suppose you knew that.
>>>
>>>> smtpd_recipient_restrictions =
>>>
>>> BTW "client" != "recipient", in case that is what you meant by
>>> duplicated settings. They are different settings, but functionally
>>> similar. You could consolidate all of your restrictions into
>>> smtpd_recipient_restrictions. Unless you need complex whitelisting,
>>> it's usually easier that way, to only maintain one set of
>>> restrictions.
>>>
>>>> reject_unauth_pipelining,    reject_non_fqdn_recipient,
>>>> reject_unknown_recipient_domain,    permit_mynetworks,
>>>> permit_sasl_authenticated,    reject_unauth_destination,
>>>> reject_rbl_client relays.ordb.org,
>>>> reject_rbl_clientlist.dsbl.org,
>>>
>>> Both of these are LONG dead and gone, so maybe you did not know about
>>> MAPS RBL? Also, you have no space there. Furthermore, you pasted your
>>> "postconf -n", and it shows a different setting of
>>> smtpd_recipient_restrictions. We believe what postconf(1) tells us.
>>
>> When I first captured the output from postconf -n, I noticed afterwards that both variables were set twice in the Postfix main.cf file.  Something like this:
>>
>> ....
>> smtpd_client_restrictions = <values I wrote myself>
>> smtpd_recipient_restrictions = <values I wrote myself>
>> ...
>> smtpd_client_restrictions = <basic settings written by Server app or some other Mac admin tool>
>> smtpd_recipient_restrictions = <basic settings written by Server app or some other Mac admin tool>
>>
>> I remove the last variables whose values were shown in the first post, then reposted the new values.
>>
>> This change seems to have been my missing link.  Since I made it, spam arriving in IMAP boxes has dropped drastically in the past several hours.
>
> Well I spoke too soon.  The flood of spam started again this morning.
>
> Obviously something isn't working.  All testimonials I've read say that grey listing stops 90% of spam but its not working.

So post a log snippets as you were asked to do and someone can help you.

Simon
Reply | Threaded
Open this post in threaded view
|

Re: Postfix Mac Aministration

Noel Jones-2
In reply to this post by Eric Lemings-3
On 1/5/2012 10:24 AM, Eric Lemings wrote:
> Well I spoke too soon.  The flood of spam started again this morning.  
>
> Obviously something isn't working.  All testimonials I've read say that grey listing stops 90% of spam but its not working.
>
> Eric.


How effective any particular anti-spam method is depends greatly on
where you spam comes from.

Greylisting is very effective against spambots delivering directly
to your MX, but does nothing with spam coming from a real mail
server or a trusted upstream relay.

Dnsbl's likewise are very effective against known spam sources
connecting directly to your MX, but will not reject mail from a
trusted upstream relay.  Dnsbl's might also be ineffective if your
DNS source is blacklisted by the dnsbl provider.

Postscreen is also very effective against bot spam and known dnsbl
listed spam sources, but is ineffective if the mail passes through a
trusted upstream relay.

One thing you'll notice above is that the most effective anti-spam
techniques are ineffective if your mail comes from a trusted relay.

So you have to do some research.
- are you using an upstream relay or is mail delivered direct to
your postfix?
- where is your spam coming from?
- how does the spam get to your inbox? What servers does it
typically pass through?
- are your dnsbl's working?
- do you need more filtering such as SpamAssassin or clamav?

We can't answer most of these questions without knowing a lot more
about your system and your spam -- which we might not care to spend
the time doing.

And of course spam evolves over time.  What worked great 2 years ago
might be useless now.



  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

spam problems, was: Re: Postfix Mac Aministration

/dev/rob0
In reply to this post by Eric Lemings-3
[ subject changed to be relevant to the thread ]

On Thursday 05 January 2012 10:24:11 Eric Lemings wrote:
> On Jan 4, 2012, at 11:46 PM, Eric Lemings <[hidden email]>
> wrote:
> > This change seems to have been my missing link.  Since I made
> > it, spam arriving in IMAP boxes has dropped drastically in the
> > past several hours.
>
> Well I spoke too soon.  The flood of spam started again this
> morning.

Refer to Stan's posts. He went into detail on things I skipped.

Also, as we both said, share some information if you want useful
suggestions.

> Obviously something isn't working.  All testimonials I've read
> say that grey listing stops 90% of spam but its not working.

I would not agree with that. It stops some, but it is not worth the
hardship of delayed mail. The postscreen after-220 tests are as
effective as greylisting with slightly less pain.
--
  http://rob0.nodns4.us/ -- system administration and consulting
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
Reply | Threaded
Open this post in threaded view
|

Re: Postfix Mac Aministration

Eric Lemings-3
In reply to this post by /dev/rob0

On Jan 4, 2012, at 9:54 PM, /dev/rob0 wrote:

> On Wednesday 04 January 2012 20:45:23 Eric Lemings wrote:
> ...
>> smtpd_recipient_restrictions =
>
> BTW "client" != "recipient", in case that is what you meant by
> duplicated settings. They are different settings, but functionally
> similar. You could consolidate all of your restrictions into
> smtpd_recipient_restrictions. Unless you need complex whitelisting,
> it's usually easier that way, to only maintain one set of
> restrictions.

After this was suggested twice, I figure it's probably a good idea so I consolidated smtpd_client_restrictions into smtpd_recipient_restrictions.  :)

> ...
> I could suggest signing up for the Barracuda BRBL and using Spam-
> eating Monkey, and could nitpick some of the postconf, but overall
> it's not that bad, you have sane and strong antispam controls in
> place. Maybe share logs and samples of the spam you got?
>
> One WAG I came up with: are you using a DNS forwarder which is
> probably blocked by Spamhaus? Try testing, from the Postfix host:
>  $ dig 2.0.0.127.zen.spamhaus.org. any
> This should return their test records. Compare with NXDOMAIN here:
>  $ dig 2.0.0.127.zen.spamhaus.org. any @8.8.4.4

I ran these two dig commands.  Here's the output from my mail server:

        [root@myhost postfix]$ dig 2.0.0.127.zen.spamhaus.org. any

        ; <<>> DiG 9.7.3-P3 <<>> 2.0.0.127.zen.spamhaus.org. any
        ;; global options: +cmd
        ;; Got answer:
        ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48990
        ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0

        ;; QUESTION SECTION:
        ;2.0.0.127.zen.spamhaus.org. IN ANY

        ;; ANSWER SECTION:
        2.0.0.127.zen.spamhaus.org. 900 IN A 127.0.0.2
        2.0.0.127.zen.spamhaus.org. 900 IN A 127.0.0.10
        2.0.0.127.zen.spamhaus.org. 900 IN A 127.0.0.4
        2.0.0.127.zen.spamhaus.org. 900 IN TXT "http://www.spamhaus.org/SBL/sbl.lasso?query=SBL233"
        2.0.0.127.zen.spamhaus.org. 900 IN TXT "http://www.spamhaus.org/query/bl?ip=127.0.0.2"

        ;; Query time: 58 msec
        ;; SERVER: 192.168.0.1#53(192.168.0.1)
        ;; WHEN: Fri Jan  6 01:40:57 2012
        ;; MSG SIZE  rcvd: 213

        [root@myhost postfix]$ dig 2.0.0.127.zen.spamhaus.org. any @8.8.4.4

        ; <<>> DiG 9.7.3-P3 <<>> 2.0.0.127.zen.spamhaus.org. any @8.8.4.4
        ;; global options: +cmd
        ;; Got answer:
        ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 33677
        ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

        ;; QUESTION SECTION:
        ;2.0.0.127.zen.spamhaus.org. IN ANY

        ;; AUTHORITY SECTION:
        zen.spamhaus.org. 150 IN SOA need.to.know.only. hostmaster.spamhaus.org. 1201060830 3600 600 432000 150

        ;; Query time: 157 msec
        ;; SERVER: 8.8.4.4#53(8.8.4.4)
        ;; WHEN: Fri Jan  6 01:43:09 2012
        ;; MSG SIZE  rcvd: 108

Not sure how to interpret that output though.

It seems the new spam control measures in my Postfix configuration may actually be working now.  The quantity has tapered off significantly after the initial flood of spam which may have been queued up retries I'm guessing.

Eric.

Reply | Threaded
Open this post in threaded view
|

Re: Postfix Mac Aministration

Eric Lemings-3
In reply to this post by Stan Hoeppner

On Jan 5, 2012, at 2:33 AM, Stan Hoeppner wrote:

> On 1/4/2012 10:54 PM, /dev/rob0 wrote:
>
>> You could consolidate all of your restrictions into
>> smtpd_recipient_restrictions. Unless you need complex whitelisting,
>> it's usually easier that way, to only maintain one set of
>> restrictions.
>
> I recommend this as well.  For me it's much easier to work with and
> debug.  I find it actually works better for complex whitelisting.
>
>> Zen has superceded sbl-xbl.spamhaus.org, which both below and above,
>> you say you are using.
>
> It appears none of your current dnsbls target snowshoe spam.  I'd
> recommend adding Spamhaus' DBL to your config:
>
> smtpd_recipient_restrictions =
> ...
>        reject_rhsbl_client dbl.spamhaus.org
>        reject_rhsbl_sender dbl.spamhaus.org
>        reject_rhsbl_helo dbl.spamhaus.org
> ...
>

I added these too.  I think I'm finally getting into the "fine-tuning" phase.  :)

Eric.

Reply | Threaded
Open this post in threaded view
|

Re: Postfix Mac Aministration

Stan Hoeppner
In reply to this post by Eric Lemings-3
On 1/6/2012 3:05 AM, Eric Lemings wrote:

> [root@myhost postfix]$ dig 2.0.0.127.zen.spamhaus.org. any
...
> ;; ANSWER SECTION:
> 2.0.0.127.zen.spamhaus.org. 900 IN A 127.0.0.2
> 2.0.0.127.zen.spamhaus.org. 900 IN A 127.0.0.10
> 2.0.0.127.zen.spamhaus.org. 900 IN A 127.0.0.4
> 2.0.0.127.zen.spamhaus.org. 900 IN TXT "http://www.spamhaus.org/SBL/sbl.lasso?query=SBL233"
> 2.0.0.127.zen.spamhaus.org. 900 IN TXT "http://www.spamhaus.org/query/bl?ip=127.0.0.2"

This means your queries should be working.

> It seems the new spam control measures in my Postfix configuration may actually be working now.  The quantity has tapered off significantly after the initial flood of spam which may have been queued up retries I'm guessing.

Bot spam engines never retry failed deliveries, and greylisting relies
on this fact to block bot spam.  Most snowshoe spammer hosts don't retry
either, by design.

Considering you just consolidated everything under
smtpd_recipient_restrictions, you should share "postconf -n" output
again so we can sanity check it.  Restriction order can be important,
sometimes critical.

--
Stan
Reply | Threaded
Open this post in threaded view
|

Re: Postfix Mac Aministration

Eric Lemings-3

On Jan 6, 2012, at 5:15 AM, Stan Hoeppner wrote:

> On 1/6/2012 3:05 AM, Eric Lemings wrote:
>
>> [root@myhost postfix]$ dig 2.0.0.127.zen.spamhaus.org. any
> ...
>> ;; ANSWER SECTION:
>> 2.0.0.127.zen.spamhaus.org. 900 IN A 127.0.0.2
>> 2.0.0.127.zen.spamhaus.org. 900 IN A 127.0.0.10
>> 2.0.0.127.zen.spamhaus.org. 900 IN A 127.0.0.4
>> 2.0.0.127.zen.spamhaus.org. 900 IN TXT "http://www.spamhaus.org/SBL/sbl.lasso?query=SBL233"
>> 2.0.0.127.zen.spamhaus.org. 900 IN TXT "http://www.spamhaus.org/query/bl?ip=127.0.0.2"
>
> This means your queries should be working.
>
>> It seems the new spam control measures in my Postfix configuration may actually be working now.  The quantity has tapered off significantly after the initial flood of spam which may have been queued up retries I'm guessing.
>
> Bot spam engines never retry failed deliveries, and greylisting relies
> on this fact to block bot spam.  Most snowshoe spammer hosts don't retry
> either, by design.
>
> Considering you just consolidated everything under
> smtpd_recipient_restrictions, you should share "postconf -n" output
> again so we can sanity check it.  Restriction order can be important,
> sometimes critical.

Current 'postconf -n' output:

command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
enable_server_options = yes
header_checks = pcre:/etc/postfix/custom_header_checks
html_directory = /usr/share/doc/postfix/html
imap_submit_cred_file = /private/etc/postfix/submit.cred
inet_interfaces = all
local_recipient_maps = proxy:unix:passwd.byname $alias_maps
mail_owner = _postfix
mailbox_size_limit = 0
mailbox_transport = dovecot
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
maps_rbl_domains =
message_size_limit = 0
mydestination = $myhostname, localhost.$mydomain, localhost, myhost, $mydomain, mail
mydomain = lemings.com
mydomain_fallback = localhost
myhostname = mail.lemings.com
mynetworks = 127.0.0.0/8,192.168.0.0/16
newaliases_path = /usr/bin/newaliases
postscreen_dnsbl_sites = zen.spamhaus.org*2 rbl-plus.mail-abuse.org bl.spamcop.net
queue_directory = /private/var/spool/postfix
readme_directory = /usr/share/doc/postfix
recipient_canonical_maps = hash:/etc/postfix/system_user_maps
recipient_delimiter = +
relayhost =
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = _postdrop
smtp_sasl_auth_enable = no
smtp_sasl_password_maps =
smtpd_enforce_tls = no
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,    check_helo_access         hash:/etc/postfix/helo_access,    reject_non_fqdn_helo_hostname,    reject_invalid_helo_hostname,    permit
smtpd_pw_server_security_options = cram-md5,gssapi,login,plain
smtpd_recipient_restrictions = reject_unauth_pipelining,    reject_non_fqdn_recipient,    reject_unknown_recipient_domain,    permit_mynetworks,    permit_sasl_authenticated,    reject_unauth_destination,    reject_rhsbl_client dbl.spamhaus.org,    reject_rhsbl_sender dbl.spamhaus.org,    reject_rhsbl_helo dbl.spamhaus.org,    reject_rbl_client zen.spamhaus.org,    reject_rbl_client rbl-plus.mail-abuse.org,    reject_rbl_client bl.spamcop.net,    check_policy_service unix:private/policy,    permit
smtpd_sasl_auth_enable = yes
smtpd_tls_CAfile = /etc/certificates/myhost.lemings.com.F10D537E0CACDAC26C86B0FAA5A3E24477F0F6A3.chain.pem
smtpd_tls_cert_file = /etc/certificates/myhost.lemings.com.F10D537E0CACDAC26C86B0FAA5A3E24477F0F6A3.cert.pem
smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL
smtpd_tls_key_file = /etc/certificates/myhost.lemings.com.F10D537E0CACDAC26C86B0FAA5A3E24477F0F6A3.key.pem
smtpd_use_pw_server = yes
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
use_sacl_cache = yes
virtual_alias_maps = $virtual_maps

Still quite a bit of spam getting through.

Eric.

Reply | Threaded
Open this post in threaded view
|

Re: Postfix Mac Aministration

Stan Hoeppner
On 1/6/2012 8:35 PM, Eric Lemings wrote:

> Current 'postconf -n' output:
>
> command_directory = /usr/sbin

This is likely your default.  Check with 'postconf -d command_directory'
and remove this line if it is.  Don't re-specify default values in
main.cf.  It simply clutters things up making sleuthing more difficult
than need be.

> config_directory = /etc/postfix

Same as above.

> daemon_directory = /usr/libexec/postfix

Possibly here as well.  On Debian it's /usr/lib/postfix but on OSX it
may be libexec.  If the default is libexec, remove this line.

> debug_peer_level = 2

This is the default value.  Remove this line.  Unless of course Apple
changed the default to another value, which they should not have.

> enable_server_options = yes

This doesn't seem to be a valid main.cf parameter.  An Apple add-on I
assume.

> imap_submit_cred_file = /private/etc/postfix/submit.cred

Same here.

> inet_interfaces = all

Again, default.  Remove this line.

> local_recipient_maps = proxy:unix:passwd.byname $alias_maps

Default.  Remove.

> mail_owner = _postfix

Default.  Remove.

> mailq_path = /usr/bin/mailq

Default.  Remove.

> manpage_directory = /usr/share/man

Default.  Remove.

> maps_rbl_domains =

Deprecated parameter.  Remove.

> mydestination = $myhostname, localhost.$mydomain, localhost, myhost, $mydomain, mail

Are you sure you need all 6 of these?

> mydomain_fallback = localhost

Another Apple add on, seems useless.

> newaliases_path = /usr/bin/newaliases

Default.  Remove.

> postscreen_dnsbl_sites = zen.spamhaus.org*2 rbl-plus.mail-abuse.org bl.spamcop.net

Again, MAPS is a paid service.  If you don't have a subscription remove.

> readme_directory = /usr/share/doc/postfix

Default.  Remove.

> relayhost =

Default.  Remove.

> sendmail_path = /usr/sbin/sendmail

Default.  Remove.

> smtp_sasl_auth_enable = no
> smtp_sasl_password_maps =
> smtpd_enforce_tls = no

All 3 are defaults.  Remove them.

> smtpd_helo_restrictions = permit_mynetworks,    check_helo_access         hash:/etc/postfix/helo_access,    reject_non_fqdn_helo_hostname,    reject_invalid_helo_hostname,    permit

Consolidate your helo restrictions into recipient restrictions.

> smtpd_pw_server_security_options = cram-md5,gssapi,login,plain

Yet another Apple add on...

> smtpd_recipient_restrictions = reject_unauth_pipelining,    reject_non_fqdn_recipient,    reject_unknown_recipient_domain,    permit_mynetworks,    permit_sasl_authenticated,    reject_unauth_destination,    reject_rhsbl_client dbl.spamhaus.org,    reject_rhsbl_sender dbl.spamhaus.org,    reject_rhsbl_helo dbl.spamhaus.org,    reject_rbl_client zen.spamhaus.org,    reject_rbl_client rbl-plus.mail-abuse.org,    reject_rbl_client bl.spamcop.net,    check_policy_service unix:private/policy,    permit

You may want to move these first 3 after reject_unauth_destination.
Also, there's no need for an explicit permit at the end as that is the
default behavior.

> smtpd_use_pw_server = yes

Yet another Apple add on.

> tls_random_source = dev:/dev/urandom

Default.  Remove.

> unknown_local_recipient_reject_code = 550

Default.  Remove.

> use_sacl_cache = yes

Another Apple add on.

> virtual_alias_maps = $virtual_maps

Default.  Remove.


I'm guessing a lot of the redundant default junk in your main.cf was
inserted by Apple (IIRC the CentOS/Red Hat people are horrible about
this as well).  Thus your next package upgrade may put them right back in.

> Still quite a bit of spam getting through.

The spam making it in is probably not related to some of the changes you
should make above.  Post the "connect from:" lines in your mail log of a
dozen or so of these spam connections so we can identify the sources and
recommend tools/methods to put a dent in it.

--
Stan