Postfix Postfix Users

Suggestions for less spam

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
16 messages Options
Paul van der Vlis
Reply | Threaded
Open this post in threaded view
|

Suggestions for less spam

Paul van der Vlis
Hello,

I would like some suggestions on how to get less spam, I will paste my
configuration at the end of the mail.

Maybe somebody with a nice setup could post his/her setup?

As you can see, I am experimenting with reject_unknown_client_hostname.
What's your opinion about that setting?

I've never used greylisting. Are you using it?

With regards,
Paul van der Vlis


root@server:~# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
compatibility_level = 2
content_filter = amavis:[127.0.0.1]:10024
inet_interfaces = all
inet_protocols = ipv4, ipv6
mailbox_size_limit = 0
mailbox_transport = lmtp:unix:/var/run/cyrus/socket/lmtp
message_size_limit = 224000000
mydestination = server.vandervlis.nl, server.lokaal.netwerk,
localhost.lokaal.netwerk, localhost
myhostname = server.vandervlis.nl
mynetworks = 127.0.0.1/32
myorigin = /etc/mailname
recipient_delimiter = +
relayhost =
smtp_tls_cert_file =
/etc/letsencrypt/live/server.vandervlis.nl/fullchain.pem
smtp_tls_key_file = /etc/letsencrypt/live/server.vandervlis.nl/privkey.pem
smtp_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, check_helo_access
hash:/etc/postfix/helo_access, permit
smtpd_recipient_restrictions = permit_mynetworks, check_sender_access
hash:/etc/postfix/sender_access, permit_sasl_authenticated,
check_sender_access hash:/etc/postfix/whitelist, warn_if_reject
reject_unknown_client_hostname, reject_invalid_hostname,
reject_non_fqdn_sender, reject_non_fqdn_recipient,
reject_unknown_sender_domain, reject_unknown_recipient_domain,
reject_unauth_pipelining, reject_unauth_destination, reject_rbl_client
ix.dnsbl.manitu.net, reject_rbl_client bl.spamcop.net, reject_rbl_client
zen.spamhaus.org, reject_rbl_client cbl.abuseat.org,
check_recipient_access pcre:/etc/postfix/recipient_access, permit
smtpd_relay_restrictions =
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_exceptions_networks = $mynetworks
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
smtpd_tls_auth_only = yes
smtpd_tls_cert_file =
/etc/letsencrypt/live/server.vandervlis.nl/fullchain.pem
smtpd_tls_exclude_ciphers = RC4
smtpd_tls_key_file = /etc/letsencrypt/live/server.vandervlis.nl/privkey.pem
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transportmappings
virtual_maps = hash:/etc/postfix/virtual
root@server:~#






--
Paul van der Vlis Linux systeembeheer Groningen
https://www.vandervlis.nl/
Dominic Raferd
Reply | Threaded
Open this post in threaded view
|

Re: Suggestions for less spam

Dominic Raferd
On Sun, 22 Sep 2019 at 14:36, Paul van der Vlis <[hidden email]> wrote:

>
> Hello,
>
> I would like some suggestions on how to get less spam, I will paste my
> configuration at the end of the mail.
>
> Maybe somebody with a nice setup could post his/her setup?
>
> As you can see, I am experimenting with reject_unknown_client_hostname.
> What's your opinion about that setting?
>
> I've never used greylisting. Are you using it?

I have been tweaking my settings for the last three years largely
based on advice from this list. I give below my (slightly simplified)
smtpd_recipient_restrictions settings for unauthenticated connections
(suggestions for improvement very welcome). I also apply some
header_checks and use spamassassin and clamav (via amavis) with some
bespoke rules.

I think it is inadvisable to use reject_unknown_client_hostname (risk
of fps) but I have found reject_unknown_reverse_client_hostname very
effective. I tried greylisting but gave it up - it isn't necessary and
the delays were very irritating to users (e.g. for password reset
emails).

smtpd_recipient_restrictions =
    reject_unauth_pipelining

     # localfile whitelists
    check_sender_access hash:/etc/postfix/sender_access_whitelist
    check_client_access hash:/etc/postfix/client_access_whitelist
    check_client_access cidr:/etc/postfix/client_access_whitelist.cidr
    check_helo_access hash:/etc/postfix/helo_access_whitelist

    # localfile blacklists
    check_sender_access hash:/etc/postfix/sender_access
    check_client_access hash:/etc/postfix/client_access
    check_helo_access hash:/etc/postfix/helo_access
    check_sender_access pcre:/etc/postfix/sender_access.pcre

    # reject clients without PTR
    reject_unknown_reverse_client_hostname

    # reject clients with dynamic ips
    reject_rbl_client dul.dnsbl.sorbs.net=127.0.0.10

    # rejections based on rbls for helo/sender/reverse_client
    reject_rhsbl_helo dbl.spamhaus.org
    reject_rhsbl_sender dbl.spamhaus.org
    reject_rhsbl_reverse_client dbl.spamhaus.org
    reject_rhsbl_sender fresh.fmb.la=127.2.0.[2;14]

    # ip-based remote whitelists
    permit_dnswl_client list.dnswl.org=127.0.[0..255].[1..3]
    permit_dnswl_client white.uribl.com
    permit_dnswl_client hostkarma.junkemailfilter.com=127.0.0.[1;3;5]

    # ip-based remote blacklists
    reject_rbl_client zen.spamhaus.org
    reject_rbl_client dyna.spamrats.com
    reject_rbl_client hostkarma.junkemailfilter.com=127.0.0.2
    reject_rbl_client truncate.gbudb.net
    reject_rbl_client dnsbl.cobion.com
    reject_rbl_client bl.fmb.la=127.0.0.2
    reject_rbl_client b.barracudacentral.org
Matus UHLAR - fantomas
Reply | Threaded
Open this post in threaded view
|

Re: Suggestions for less spam

Matus UHLAR - fantomas
In reply to this post by Paul van der Vlis
On 22.09.19 15:35, Paul van der Vlis wrote:
>I would like some suggestions on how to get less spam, I will paste my
>configuration at the end of the mail.
>
>Maybe somebody with a nice setup could post his/her setup?

use postscreen, with weighed blacklists.
Use spamass-milter or amavisd-milter with refusing spam scoring over 10
(maybe less, I put it down to 8 after I train it properly).

>As you can see, I am experimenting with reject_unknown_client_hostname.
>What's your opinion about that setting?

good idea, but you may want whitelist (exemption) for this.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
42.7 percent of all statistics are made up on the spot.
@lbutlr
Reply | Threaded
Open this post in threaded view
|

Re: Suggestions for less spam

@lbutlr
In reply to this post by Dominic Raferd
On Sep 22, 2019, at 9:59 AM, Dominic Raferd <[hidden email]> wrote:
> I think it is inadvisable to use reject_unknown_client_hostname

Yes, you will lose legitimate mail with this, but in my limited experience it is all junk (marketing mail, remailer services, and the like; not technically spam), and a lot of spam. You will probably need to whitelist some senders?

> (risk of fps) but I have found reject_unknown_reverse_client_hostname very
> effective.

Yep, though again, you might hot some ham. I have a mailing list right now that I subscribe to that hits this, so had to white list its server.



--
No man is free who is not master of himself

Paul van der Vlis
Reply | Threaded
Open this post in threaded view
|

Re: Suggestions for less spam

Paul van der Vlis
In reply to this post by Dominic Raferd
Op 22-09-19 om 17:59 schreef Dominic Raferd:

> I have been tweaking my settings for the last three years largely
> based on advice from this list. I give below my (slightly simplified)
> smtpd_recipient_restrictions settings for unauthenticated connections
> (suggestions for improvement very welcome). I also apply some
> header_checks and use spamassassin and clamav (via amavis) with some
> bespoke rules.

Much thanks for your help. It will take some time to study it.

> I think it is inadvisable to use reject_unknown_client_hostname (risk
> of fps) but I have found reject_unknown_reverse_client_hostname very
> effective.

I have heard that more.

> I tried greylisting but gave it up - it isn't necessary and
> the delays were very irritating to users (e.g. for password reset
> emails).

I don't like it too.

With regards,
Paul


--
Paul van der Vlis Linux systeembeheer Groningen
https://www.vandervlis.nl/
Paul van der Vlis
Reply | Threaded
Open this post in threaded view
|

Re: Suggestions for less spam

Paul van der Vlis
In reply to this post by Dominic Raferd
I am using now much of your setting and it seems to help. Thanks a lot!


Op 22-09-19 om 17:59 schreef Dominic Raferd:

> On Sun, 22 Sep 2019 at 14:36, Paul van der Vlis <[hidden email]> wrote:
>>
>> Hello,
>>
>> I would like some suggestions on how to get less spam, I will paste my
>> configuration at the end of the mail.
>>
>> Maybe somebody with a nice setup could post his/her setup?
>>
>> As you can see, I am experimenting with reject_unknown_client_hostname.
>> What's your opinion about that setting?
>>
>> I've never used greylisting. Are you using it?
>
> I have been tweaking my settings for the last three years largely
> based on advice from this list. I give below my (slightly simplified)
> smtpd_recipient_restrictions settings for unauthenticated connections
> (suggestions for improvement very welcome). I also apply some
> header_checks and use spamassassin and clamav (via amavis) with some
> bespoke rules.
>
> I think it is inadvisable to use reject_unknown_client_hostname (risk
> of fps) but I have found reject_unknown_reverse_client_hostname very
> effective. I tried greylisting but gave it up - it isn't necessary and
> the delays were very irritating to users (e.g. for password reset
> emails).
>
> smtpd_recipient_restrictions =
>     reject_unauth_pipelining
>
>      # localfile whitelists
>     check_sender_access hash:/etc/postfix/sender_access_whitelist
>     check_client_access hash:/etc/postfix/client_access_whitelist
>     check_client_access cidr:/etc/postfix/client_access_whitelist.cidr
>     check_helo_access hash:/etc/postfix/helo_access_whitelist
>
>     # localfile blacklists
>     check_sender_access hash:/etc/postfix/sender_access
>     check_client_access hash:/etc/postfix/client_access
>     check_helo_access hash:/etc/postfix/helo_access
>     check_sender_access pcre:/etc/postfix/sender_access.pcre
>
>     # reject clients without PTR
>     reject_unknown_reverse_client_hostname
>
>     # reject clients with dynamic ips
>     reject_rbl_client dul.dnsbl.sorbs.net=127.0.0.10
>
>     # rejections based on rbls for helo/sender/reverse_client
>     reject_rhsbl_helo dbl.spamhaus.org
>     reject_rhsbl_sender dbl.spamhaus.org
>     reject_rhsbl_reverse_client dbl.spamhaus.org
>     reject_rhsbl_sender fresh.fmb.la=127.2.0.[2;14]
>
>     # ip-based remote whitelists
>     permit_dnswl_client list.dnswl.org=127.0.[0..255].[1..3]
>     permit_dnswl_client white.uribl.com
>     permit_dnswl_client hostkarma.junkemailfilter.com=127.0.0.[1;3;5]
>
>     # ip-based remote blacklists
>     reject_rbl_client zen.spamhaus.org
>     reject_rbl_client dyna.spamrats.com
>     reject_rbl_client hostkarma.junkemailfilter.com=127.0.0.2
>     reject_rbl_client truncate.gbudb.net
>     reject_rbl_client dnsbl.cobion.com
>     reject_rbl_client bl.fmb.la=127.0.0.2
>     reject_rbl_client b.barracudacentral.org
>



--
Paul van der Vlis Linux systeembeheer Groningen
https://www.vandervlis.nl/
Matus UHLAR - fantomas
Reply | Threaded
Open this post in threaded view
|

Re: Suggestions for less spam

Matus UHLAR - fantomas
On 24.09.19 12:11, Paul van der Vlis wrote:
>I am using now much of your setting and it seems to help. Thanks a lot!

I would just like to note that all those reject_rbl_client directives are
prone to errors when any of those blacklist fails.

That's why I suggestes to use postscreen, where you can define whitelists
and minimum score for listing.
Postscreen in addition helps catching many bots not listed in blacklists.

>Op 22-09-19 om 17:59 schreef Dominic Raferd:
>> On Sun, 22 Sep 2019 at 14:36, Paul van der Vlis <[hidden email]> wrote:
>>>
>>> Hello,
>>>
>>> I would like some suggestions on how to get less spam, I will paste my
>>> configuration at the end of the mail.
>>>
>>> Maybe somebody with a nice setup could post his/her setup?
>>>
>>> As you can see, I am experimenting with reject_unknown_client_hostname.
>>> What's your opinion about that setting?
>>>
>>> I've never used greylisting. Are you using it?
>>
>> I have been tweaking my settings for the last three years largely
>> based on advice from this list. I give below my (slightly simplified)
>> smtpd_recipient_restrictions settings for unauthenticated connections
>> (suggestions for improvement very welcome). I also apply some
>> header_checks and use spamassassin and clamav (via amavis) with some
>> bespoke rules.
>>
>> I think it is inadvisable to use reject_unknown_client_hostname (risk
>> of fps) but I have found reject_unknown_reverse_client_hostname very
>> effective. I tried greylisting but gave it up - it isn't necessary and
>> the delays were very irritating to users (e.g. for password reset
>> emails).
>>
>> smtpd_recipient_restrictions =
>>     reject_unauth_pipelining
>>
>>      # localfile whitelists
>>     check_sender_access hash:/etc/postfix/sender_access_whitelist
>>     check_client_access hash:/etc/postfix/client_access_whitelist
>>     check_client_access cidr:/etc/postfix/client_access_whitelist.cidr
>>     check_helo_access hash:/etc/postfix/helo_access_whitelist
>>
>>     # localfile blacklists
>>     check_sender_access hash:/etc/postfix/sender_access
>>     check_client_access hash:/etc/postfix/client_access
>>     check_helo_access hash:/etc/postfix/helo_access
>>     check_sender_access pcre:/etc/postfix/sender_access.pcre
>>
>>     # reject clients without PTR
>>     reject_unknown_reverse_client_hostname
>>
>>     # reject clients with dynamic ips
>>     reject_rbl_client dul.dnsbl.sorbs.net=127.0.0.10
>>
>>     # rejections based on rbls for helo/sender/reverse_client
>>     reject_rhsbl_helo dbl.spamhaus.org
>>     reject_rhsbl_sender dbl.spamhaus.org
>>     reject_rhsbl_reverse_client dbl.spamhaus.org
>>     reject_rhsbl_sender fresh.fmb.la=127.2.0.[2;14]
>>
>>     # ip-based remote whitelists
>>     permit_dnswl_client list.dnswl.org=127.0.[0..255].[1..3]
>>     permit_dnswl_client white.uribl.com
>>     permit_dnswl_client hostkarma.junkemailfilter.com=127.0.0.[1;3;5]
>>
>>     # ip-based remote blacklists
>>     reject_rbl_client zen.spamhaus.org
>>     reject_rbl_client dyna.spamrats.com
>>     reject_rbl_client hostkarma.junkemailfilter.com=127.0.0.2
>>     reject_rbl_client truncate.gbudb.net
>>     reject_rbl_client dnsbl.cobion.com
>>     reject_rbl_client bl.fmb.la=127.0.0.2
>>     reject_rbl_client b.barracudacentral.org
>>
>
>
>
>--
>Paul van der Vlis Linux systeembeheer Groningen
>https://www.vandervlis.nl/

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
- Have you got anything without Spam in it?
- Well, there's Spam egg sausage and Spam, that's not got much Spam in it.
Dominic Raferd
Reply | Threaded
Open this post in threaded view
|

Re: Suggestions for less spam

Dominic Raferd
On Tue, 24 Sep 2019 at 11:31, Matus UHLAR - fantomas <[hidden email]> wrote:
On 24.09.19 12:11, Paul van der Vlis wrote:
>I am using now much of your setting and it seems to help. Thanks a lot!

I would just like to note that all those reject_rbl_client directives are
prone to errors when any of those blacklist fails.

An occasional individual blacklist lookup failure is not a problem, and is rare (except for b.barracudacentral.org). I have not felt the need for postscreen but of course it is a good tool: I prefer to block by ip last and to log helo, envelope sender & recipient as well as client ip. This puts a little more load on the server, but information is power.
Matus UHLAR - fantomas
Reply | Threaded
Open this post in threaded view
|

Re: Suggestions for less spam

Matus UHLAR - fantomas
>> On 24.09.19 12:11, Paul van der Vlis wrote:
>> >I am using now much of your setting and it seems to help. Thanks a lot!

>On Tue, 24 Sep 2019 at 11:31, Matus UHLAR - fantomas <[hidden email]>
>wrote:
>> I would just like to note that all those reject_rbl_client directives are
>> prone to errors when any of those blacklist fails.

On 24.09.19 11:54, Dominic Raferd wrote:
>An occasional individual blacklist lookup failure is not a problem, and is
>rare (except for b.barracudacentral.org). I have not felt the need for
>postscreen but of course it is a good tool: I prefer to block by ip last
>and to log helo, envelope sender & recipient as well as client ip. This
>puts a little more load on the server, but information is power.

I'm not talking about temporary failures when resolving blacklists.  I am
talking about sender IP addresses appering in random blacklists (probability
increases with number of used blacklists), shut down blacklist returning
positive addresses with all lookups (happened a few times in the history)
etc.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Save the whales. Collect the whole set.
Wietse Venema
Reply | Threaded
Open this post in threaded view
|

Re: Suggestions for less spam

Wietse Venema
In reply to this post by Dominic Raferd
Dominic Raferd:

> On Tue, 24 Sep 2019 at 11:31, Matus UHLAR - fantomas <[hidden email]>
> wrote:
>
> > On 24.09.19 12:11, Paul van der Vlis wrote:
> > >I am using now much of your setting and it seems to help. Thanks a lot!
> >
> > I would just like to note that all those reject_rbl_client directives are
> > prone to errors when any of those blacklist fails.
>
>
> An occasional individual blacklist lookup failure is not a problem, and is
> rare (except for b.barracudacentral.org). I have not felt the need for
> postscreen but of course it is a good tool: I prefer to block by ip last
> and to log helo, envelope sender & recipient as well as client ip. This
> puts a little more load on the server, but information is power.

Postscreen logs the helo, sender, recipient, client IP address
and client port when it rejects a connection.

        Wietse
Matus UHLAR - fantomas
Reply | Threaded
Open this post in threaded view
|

Re: Suggestions for less spam

Matus UHLAR - fantomas
>> > On 24.09.19 12:11, Paul van der Vlis wrote:
>> > >I am using now much of your setting and it seems to help. Thanks a lot!

>> On Tue, 24 Sep 2019 at 11:31, Matus UHLAR - fantomas <[hidden email]>
>> wrote:
>> > I would just like to note that all those reject_rbl_client directives are
>> > prone to errors when any of those blacklist fails.

>Dominic Raferd:
>> An occasional individual blacklist lookup failure is not a problem, and is
>> rare (except for b.barracudacentral.org). I have not felt the need for
>> postscreen but of course it is a good tool: I prefer to block by ip last
>> and to log helo, envelope sender & recipient as well as client ip. This
>> puts a little more load on the server, but information is power.

On 24.09.19 07:08, Wietse Venema wrote:
>Postscreen logs the helo, sender, recipient, client IP address
>and client port when it rejects a connection.

... and dnsblog logs all blacklists the IP was found in.
Even more than standard smtpd (which only uses and logs first match).
--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux is like a teepee: no Windows, no Gates and an apache inside...
Dominic Raferd
Reply | Threaded
Open this post in threaded view
|

Re: Suggestions for less spam

Dominic Raferd
In reply to this post by Wietse Venema


On Tue, 24 Sep 2019 at 12:09, Wietse Venema <[hidden email]> wrote:
Dominic Raferd:
> On Tue, 24 Sep 2019 at 11:31, Matus UHLAR - fantomas <[hidden email]>
> wrote:
>
> > On 24.09.19 12:11, Paul van der Vlis wrote:
> > >I am using now much of your setting and it seems to help. Thanks a lot!
> >
> > I would just like to note that all those reject_rbl_client directives are
> > prone to errors when any of those blacklist fails.
>
>
> An occasional individual blacklist lookup failure is not a problem, and is
> rare (except for b.barracudacentral.org). I have not felt the need for
> postscreen but of course it is a good tool: I prefer to block by ip last
> and to log helo, envelope sender & recipient as well as client ip. This
> puts a little more load on the server, but information is power.

Postscreen logs the helo, sender, recipient, client IP address
and client port when it rejects a connection.

Thanks - I did not know that, I thought postscreen blocked at early stage before this information had been requested/received. My bad.
allenc
Reply | Threaded
Open this post in threaded view
|

Re: Suggestions for less spam

allenc
In reply to this post by Wietse Venema


On 24/09/2019 12:08, Wietse Venema wrote:

> Dominic Raferd:
>> On Tue, 24 Sep 2019 at 11:31, Matus UHLAR - fantomas <[hidden email]>
>> wrote:
>>
>>> On 24.09.19 12:11, Paul van der Vlis wrote:
>>>> I am using now much of your setting and it seems to help. Thanks a lot!
>>>
>>> I would just like to note that all those reject_rbl_client directives are
>>> prone to errors when any of those blacklist fails.
>>
>>
>> An occasional individual blacklist lookup failure is not a problem, and is
>> rare (except for b.barracudacentral.org). I have not felt the need for
>> postscreen but of course it is a good tool: I prefer to block by ip last
>> and to log helo, envelope sender & recipient as well as client ip. This
>> puts a little more load on the server, but information is power.
>
> Postscreen logs the helo, sender, recipient, client IP address
> and client port when it rejects a connection.
>
> Wietse
>

In postscreen I use two access control lists - the first accepts known good mail
servers;  the second rejects entire "problem" countries - in my case China,
North Korea, Brazil, and Eastern Europe.  The country list is recompiled every
week, and the data comes from www.ipdeny.com.

In postfix, messages to a mailing-list identity are refused if they DON'T come
from the list-server (or a few whitelisted individuals). Senders see a polite
message to contact me on-list.

Allen C
Chris Wedgwood
Reply | Threaded
Open this post in threaded view
|

Re: Suggestions for less spam

Chris Wedgwood
In reply to this post by Paul van der Vlis
> >     # reject clients without PTR
> >     reject_unknown_reverse_client_hostname

FWIW

i log/report such things but don't reject; there is some percentage of
real email that comes from sources with broken PTR or missing records
James Brown
Reply | Threaded
Open this post in threaded view
|

Re: Suggestions for less spam

James Brown
In reply to this post by Dominic Raferd
> On 23 Sep 2019, at 1:59 am, Dominic Raferd <[hidden email]> wrote:

>
> On Sun, 22 Sep 2019 at 14:36, Paul van der Vlis <[hidden email]> wrote:
>>
>> Hello,
>>
>> I would like some suggestions on how to get less spam, I will paste my
>> configuration at the end of the mail.
>>
>> Maybe somebody with a nice setup could post his/her setup?
>>
>> As you can see, I am experimenting with reject_unknown_client_hostname.
>> What's your opinion about that setting?
>>
>> I've never used greylisting. Are you using it?
>
> I have been tweaking my settings for the last three years largely
> based on advice from this list. I give below my (slightly simplified)
> smtpd_recipient_restrictions settings for unauthenticated connections
> (suggestions for improvement very welcome). I also apply some
> header_checks and use spamassassin and clamav (via amavis) with some
> bespoke rules.
>
> I think it is inadvisable to use reject_unknown_client_hostname (risk
> of fps) but I have found reject_unknown_reverse_client_hostname very
> effective. I tried greylisting but gave it up - it isn't necessary and
> the delays were very irritating to users (e.g. for password reset
> emails).
>
> smtpd_recipient_restrictions =
>    reject_unauth_pipelining
>
>     # localfile whitelists
>    check_sender_access hash:/etc/postfix/sender_access_whitelist
>    check_client_access hash:/etc/postfix/client_access_whitelist
>    check_client_access cidr:/etc/postfix/client_access_whitelist.cidr
>    check_helo_access hash:/etc/postfix/helo_access_whitelist
>
>    # localfile blacklists
>    check_sender_access hash:/etc/postfix/sender_access
>    check_client_access hash:/etc/postfix/client_access
>    check_helo_access hash:/etc/postfix/helo_access
>    check_sender_access pcre:/etc/postfix/sender_access.pcre
>
>    # reject clients without PTR
>    reject_unknown_reverse_client_hostname
>
>    # reject clients with dynamic ips
>    reject_rbl_client dul.dnsbl.sorbs.net=127.0.0.10
>
>    # rejections based on rbls for helo/sender/reverse_client
>    reject_rhsbl_helo dbl.spamhaus.org
>    reject_rhsbl_sender dbl.spamhaus.org
>    reject_rhsbl_reverse_client dbl.spamhaus.org
>    reject_rhsbl_sender fresh.fmb.la=127.2.0.[2;14]
>
>    # ip-based remote whitelists
>    permit_dnswl_client list.dnswl.org=127.0.[0..255].[1..3]
>    permit_dnswl_client white.uribl.com
>    permit_dnswl_client hostkarma.junkemailfilter.com=127.0.0.[1;3;5]
>
>    # ip-based remote blacklists
>    reject_rbl_client zen.spamhaus.org
>    reject_rbl_client dyna.spamrats.com
>    reject_rbl_client hostkarma.junkemailfilter.com=127.0.0.2
>    reject_rbl_client truncate.gbudb.net
>    reject_rbl_client dnsbl.cobion.com
>    reject_rbl_client bl.fmb.la=127.0.0.2
>    reject_rbl_client b.barracudacentral.org
>
Just wondering if it is worth using Razor.

https://sourceforge.net/projects/razor/

Do people find it useful? Anyone using it?

Seems at bit dated.

Thanks, James.


smime.p7s (6K) Download Attachment
Dominic Raferd
Reply | Threaded
Open this post in threaded view
|

Re: Suggestions for less spam

Dominic Raferd
On Wed, 25 Sep 2019 at 01:04, James Brown <[hidden email]> wrote:
Just wondering if it is worth using Razor.
https://sourceforge.net/projects/razor/
Do people find it useful? Anyone using it?
Seems at bit dated.

I use it as part of Spamassassin (running via Amavis) - it is included in the Ubuntu 'recipe' (https://help.ubuntu.com/community/PostfixAmavisNew).
Free forum by Nabble Edit this page