Hello,
I would like some suggestions on how to get less spam, I will paste my configuration at the end of the mail. Maybe somebody with a nice setup could post his/her setup? As you can see, I am experimenting with reject_unknown_client_hostname. What's your opinion about that setting? I've never used greylisting. Are you using it? With regards, Paul van der Vlis root@server:~# postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no broken_sasl_auth_clients = yes compatibility_level = 2 content_filter = amavis:[127.0.0.1]:10024 inet_interfaces = all inet_protocols = ipv4, ipv6 mailbox_size_limit = 0 mailbox_transport = lmtp:unix:/var/run/cyrus/socket/lmtp message_size_limit = 224000000 mydestination = server.vandervlis.nl, server.lokaal.netwerk, localhost.lokaal.netwerk, localhost myhostname = server.vandervlis.nl mynetworks = 127.0.0.1/32 myorigin = /etc/mailname recipient_delimiter = + relayhost = smtp_tls_cert_file = /etc/letsencrypt/live/server.vandervlis.nl/fullchain.pem smtp_tls_key_file = /etc/letsencrypt/live/server.vandervlis.nl/privkey.pem smtp_tls_loglevel = 1 smtp_tls_note_starttls_offer = yes smtp_use_tls = yes smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, check_helo_access hash:/etc/postfix/helo_access, permit smtpd_recipient_restrictions = permit_mynetworks, check_sender_access hash:/etc/postfix/sender_access, permit_sasl_authenticated, check_sender_access hash:/etc/postfix/whitelist, warn_if_reject reject_unknown_client_hostname, reject_invalid_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, reject_unauth_destination, reject_rbl_client ix.dnsbl.manitu.net, reject_rbl_client bl.spamcop.net, reject_rbl_client zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, check_recipient_access pcre:/etc/postfix/recipient_access, permit smtpd_relay_restrictions = smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_exceptions_networks = $mynetworks smtpd_sasl_security_options = noanonymous smtpd_sasl_tls_security_options = noanonymous smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/letsencrypt/live/server.vandervlis.nl/fullchain.pem smtpd_tls_exclude_ciphers = RC4 smtpd_tls_key_file = /etc/letsencrypt/live/server.vandervlis.nl/privkey.pem smtpd_tls_loglevel = 1 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_use_tls = yes tls_random_source = dev:/dev/urandom transport_maps = hash:/etc/postfix/transportmappings virtual_maps = hash:/etc/postfix/virtual root@server:~# -- Paul van der Vlis Linux systeembeheer Groningen https://www.vandervlis.nl/ |
On Sun, 22 Sep 2019 at 14:36, Paul van der Vlis <[hidden email]> wrote:
> > Hello, > > I would like some suggestions on how to get less spam, I will paste my > configuration at the end of the mail. > > Maybe somebody with a nice setup could post his/her setup? > > As you can see, I am experimenting with reject_unknown_client_hostname. > What's your opinion about that setting? > > I've never used greylisting. Are you using it? I have been tweaking my settings for the last three years largely based on advice from this list. I give below my (slightly simplified) smtpd_recipient_restrictions settings for unauthenticated connections (suggestions for improvement very welcome). I also apply some header_checks and use spamassassin and clamav (via amavis) with some bespoke rules. I think it is inadvisable to use reject_unknown_client_hostname (risk of fps) but I have found reject_unknown_reverse_client_hostname very effective. I tried greylisting but gave it up - it isn't necessary and the delays were very irritating to users (e.g. for password reset emails). smtpd_recipient_restrictions = reject_unauth_pipelining # localfile whitelists check_sender_access hash:/etc/postfix/sender_access_whitelist check_client_access hash:/etc/postfix/client_access_whitelist check_client_access cidr:/etc/postfix/client_access_whitelist.cidr check_helo_access hash:/etc/postfix/helo_access_whitelist # localfile blacklists check_sender_access hash:/etc/postfix/sender_access check_client_access hash:/etc/postfix/client_access check_helo_access hash:/etc/postfix/helo_access check_sender_access pcre:/etc/postfix/sender_access.pcre # reject clients without PTR reject_unknown_reverse_client_hostname # reject clients with dynamic ips reject_rbl_client dul.dnsbl.sorbs.net=127.0.0.10 # rejections based on rbls for helo/sender/reverse_client reject_rhsbl_helo dbl.spamhaus.org reject_rhsbl_sender dbl.spamhaus.org reject_rhsbl_reverse_client dbl.spamhaus.org reject_rhsbl_sender fresh.fmb.la=127.2.0.[2;14] # ip-based remote whitelists permit_dnswl_client list.dnswl.org=127.0.[0..255].[1..3] permit_dnswl_client white.uribl.com permit_dnswl_client hostkarma.junkemailfilter.com=127.0.0.[1;3;5] # ip-based remote blacklists reject_rbl_client zen.spamhaus.org reject_rbl_client dyna.spamrats.com reject_rbl_client hostkarma.junkemailfilter.com=127.0.0.2 reject_rbl_client truncate.gbudb.net reject_rbl_client dnsbl.cobion.com reject_rbl_client bl.fmb.la=127.0.0.2 reject_rbl_client b.barracudacentral.org |
In reply to this post by Paul van der Vlis
On 22.09.19 15:35, Paul van der Vlis wrote:
>I would like some suggestions on how to get less spam, I will paste my >configuration at the end of the mail. > >Maybe somebody with a nice setup could post his/her setup? use postscreen, with weighed blacklists. Use spamass-milter or amavisd-milter with refusing spam scoring over 10 (maybe less, I put it down to 8 after I train it properly). >As you can see, I am experimenting with reject_unknown_client_hostname. >What's your opinion about that setting? good idea, but you may want whitelist (exemption) for this. -- Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 42.7 percent of all statistics are made up on the spot. |
In reply to this post by Dominic Raferd
On Sep 22, 2019, at 9:59 AM, Dominic Raferd <[hidden email]> wrote:
> I think it is inadvisable to use reject_unknown_client_hostname Yes, you will lose legitimate mail with this, but in my limited experience it is all junk (marketing mail, remailer services, and the like; not technically spam), and a lot of spam. You will probably need to whitelist some senders? > (risk of fps) but I have found reject_unknown_reverse_client_hostname very > effective. Yep, though again, you might hot some ham. I have a mailing list right now that I subscribe to that hits this, so had to white list its server. -- No man is free who is not master of himself |
In reply to this post by Dominic Raferd
Op 22-09-19 om 17:59 schreef Dominic Raferd:
> I have been tweaking my settings for the last three years largely > based on advice from this list. I give below my (slightly simplified) > smtpd_recipient_restrictions settings for unauthenticated connections > (suggestions for improvement very welcome). I also apply some > header_checks and use spamassassin and clamav (via amavis) with some > bespoke rules. Much thanks for your help. It will take some time to study it. > I think it is inadvisable to use reject_unknown_client_hostname (risk > of fps) but I have found reject_unknown_reverse_client_hostname very > effective. I have heard that more. > I tried greylisting but gave it up - it isn't necessary and > the delays were very irritating to users (e.g. for password reset > emails). I don't like it too. With regards, Paul -- Paul van der Vlis Linux systeembeheer Groningen https://www.vandervlis.nl/ |
In reply to this post by Dominic Raferd
I am using now much of your setting and it seems to help. Thanks a lot!
Op 22-09-19 om 17:59 schreef Dominic Raferd: > On Sun, 22 Sep 2019 at 14:36, Paul van der Vlis <[hidden email]> wrote: >> >> Hello, >> >> I would like some suggestions on how to get less spam, I will paste my >> configuration at the end of the mail. >> >> Maybe somebody with a nice setup could post his/her setup? >> >> As you can see, I am experimenting with reject_unknown_client_hostname. >> What's your opinion about that setting? >> >> I've never used greylisting. Are you using it? > > I have been tweaking my settings for the last three years largely > based on advice from this list. I give below my (slightly simplified) > smtpd_recipient_restrictions settings for unauthenticated connections > (suggestions for improvement very welcome). I also apply some > header_checks and use spamassassin and clamav (via amavis) with some > bespoke rules. > > I think it is inadvisable to use reject_unknown_client_hostname (risk > of fps) but I have found reject_unknown_reverse_client_hostname very > effective. I tried greylisting but gave it up - it isn't necessary and > the delays were very irritating to users (e.g. for password reset > emails). > > smtpd_recipient_restrictions = > reject_unauth_pipelining > > # localfile whitelists > check_sender_access hash:/etc/postfix/sender_access_whitelist > check_client_access hash:/etc/postfix/client_access_whitelist > check_client_access cidr:/etc/postfix/client_access_whitelist.cidr > check_helo_access hash:/etc/postfix/helo_access_whitelist > > # localfile blacklists > check_sender_access hash:/etc/postfix/sender_access > check_client_access hash:/etc/postfix/client_access > check_helo_access hash:/etc/postfix/helo_access > check_sender_access pcre:/etc/postfix/sender_access.pcre > > # reject clients without PTR > reject_unknown_reverse_client_hostname > > # reject clients with dynamic ips > reject_rbl_client dul.dnsbl.sorbs.net=127.0.0.10 > > # rejections based on rbls for helo/sender/reverse_client > reject_rhsbl_helo dbl.spamhaus.org > reject_rhsbl_sender dbl.spamhaus.org > reject_rhsbl_reverse_client dbl.spamhaus.org > reject_rhsbl_sender fresh.fmb.la=127.2.0.[2;14] > > # ip-based remote whitelists > permit_dnswl_client list.dnswl.org=127.0.[0..255].[1..3] > permit_dnswl_client white.uribl.com > permit_dnswl_client hostkarma.junkemailfilter.com=127.0.0.[1;3;5] > > # ip-based remote blacklists > reject_rbl_client zen.spamhaus.org > reject_rbl_client dyna.spamrats.com > reject_rbl_client hostkarma.junkemailfilter.com=127.0.0.2 > reject_rbl_client truncate.gbudb.net > reject_rbl_client dnsbl.cobion.com > reject_rbl_client bl.fmb.la=127.0.0.2 > reject_rbl_client b.barracudacentral.org > -- Paul van der Vlis Linux systeembeheer Groningen https://www.vandervlis.nl/ |
On 24.09.19 12:11, Paul van der Vlis wrote:
>I am using now much of your setting and it seems to help. Thanks a lot! I would just like to note that all those reject_rbl_client directives are prone to errors when any of those blacklist fails. That's why I suggestes to use postscreen, where you can define whitelists and minimum score for listing. Postscreen in addition helps catching many bots not listed in blacklists. >Op 22-09-19 om 17:59 schreef Dominic Raferd: >> On Sun, 22 Sep 2019 at 14:36, Paul van der Vlis <[hidden email]> wrote: >>> >>> Hello, >>> >>> I would like some suggestions on how to get less spam, I will paste my >>> configuration at the end of the mail. >>> >>> Maybe somebody with a nice setup could post his/her setup? >>> >>> As you can see, I am experimenting with reject_unknown_client_hostname. >>> What's your opinion about that setting? >>> >>> I've never used greylisting. Are you using it? >> >> I have been tweaking my settings for the last three years largely >> based on advice from this list. I give below my (slightly simplified) >> smtpd_recipient_restrictions settings for unauthenticated connections >> (suggestions for improvement very welcome). I also apply some >> header_checks and use spamassassin and clamav (via amavis) with some >> bespoke rules. >> >> I think it is inadvisable to use reject_unknown_client_hostname (risk >> of fps) but I have found reject_unknown_reverse_client_hostname very >> effective. I tried greylisting but gave it up - it isn't necessary and >> the delays were very irritating to users (e.g. for password reset >> emails). >> >> smtpd_recipient_restrictions = >> reject_unauth_pipelining >> >> # localfile whitelists >> check_sender_access hash:/etc/postfix/sender_access_whitelist >> check_client_access hash:/etc/postfix/client_access_whitelist >> check_client_access cidr:/etc/postfix/client_access_whitelist.cidr >> check_helo_access hash:/etc/postfix/helo_access_whitelist >> >> # localfile blacklists >> check_sender_access hash:/etc/postfix/sender_access >> check_client_access hash:/etc/postfix/client_access >> check_helo_access hash:/etc/postfix/helo_access >> check_sender_access pcre:/etc/postfix/sender_access.pcre >> >> # reject clients without PTR >> reject_unknown_reverse_client_hostname >> >> # reject clients with dynamic ips >> reject_rbl_client dul.dnsbl.sorbs.net=127.0.0.10 >> >> # rejections based on rbls for helo/sender/reverse_client >> reject_rhsbl_helo dbl.spamhaus.org >> reject_rhsbl_sender dbl.spamhaus.org >> reject_rhsbl_reverse_client dbl.spamhaus.org >> reject_rhsbl_sender fresh.fmb.la=127.2.0.[2;14] >> >> # ip-based remote whitelists >> permit_dnswl_client list.dnswl.org=127.0.[0..255].[1..3] >> permit_dnswl_client white.uribl.com >> permit_dnswl_client hostkarma.junkemailfilter.com=127.0.0.[1;3;5] >> >> # ip-based remote blacklists >> reject_rbl_client zen.spamhaus.org >> reject_rbl_client dyna.spamrats.com >> reject_rbl_client hostkarma.junkemailfilter.com=127.0.0.2 >> reject_rbl_client truncate.gbudb.net >> reject_rbl_client dnsbl.cobion.com >> reject_rbl_client bl.fmb.la=127.0.0.2 >> reject_rbl_client b.barracudacentral.org >> > > > >-- >Paul van der Vlis Linux systeembeheer Groningen >https://www.vandervlis.nl/ -- Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. - Have you got anything without Spam in it? - Well, there's Spam egg sausage and Spam, that's not got much Spam in it. |
On Tue, 24 Sep 2019 at 11:31, Matus UHLAR - fantomas <[hidden email]> wrote: On 24.09.19 12:11, Paul van der Vlis wrote: An occasional individual blacklist lookup failure is not a problem, and is rare (except for b.barracudacentral.org). I have not felt the need for postscreen but of course it is a good tool: I prefer to block by ip last and to log helo, envelope sender & recipient as well as client ip. This puts a little more load on the server, but information is power. |
>> On 24.09.19 12:11, Paul van der Vlis wrote:
>> >I am using now much of your setting and it seems to help. Thanks a lot! >On Tue, 24 Sep 2019 at 11:31, Matus UHLAR - fantomas <[hidden email]> >wrote: >> I would just like to note that all those reject_rbl_client directives are >> prone to errors when any of those blacklist fails. On 24.09.19 11:54, Dominic Raferd wrote: >An occasional individual blacklist lookup failure is not a problem, and is >rare (except for b.barracudacentral.org). I have not felt the need for >postscreen but of course it is a good tool: I prefer to block by ip last >and to log helo, envelope sender & recipient as well as client ip. This >puts a little more load on the server, but information is power. I'm not talking about temporary failures when resolving blacklists. I am talking about sender IP addresses appering in random blacklists (probability increases with number of used blacklists), shut down blacklist returning positive addresses with all lookups (happened a few times in the history) etc. -- Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Save the whales. Collect the whole set. |
In reply to this post by Dominic Raferd
Dominic Raferd:
> On Tue, 24 Sep 2019 at 11:31, Matus UHLAR - fantomas <[hidden email]> > wrote: > > > On 24.09.19 12:11, Paul van der Vlis wrote: > > >I am using now much of your setting and it seems to help. Thanks a lot! > > > > I would just like to note that all those reject_rbl_client directives are > > prone to errors when any of those blacklist fails. > > > An occasional individual blacklist lookup failure is not a problem, and is > rare (except for b.barracudacentral.org). I have not felt the need for > postscreen but of course it is a good tool: I prefer to block by ip last > and to log helo, envelope sender & recipient as well as client ip. This > puts a little more load on the server, but information is power. Postscreen logs the helo, sender, recipient, client IP address and client port when it rejects a connection. Wietse |
>> > On 24.09.19 12:11, Paul van der Vlis wrote:
>> > >I am using now much of your setting and it seems to help. Thanks a lot! >> On Tue, 24 Sep 2019 at 11:31, Matus UHLAR - fantomas <[hidden email]> >> wrote: >> > I would just like to note that all those reject_rbl_client directives are >> > prone to errors when any of those blacklist fails. >Dominic Raferd: >> An occasional individual blacklist lookup failure is not a problem, and is >> rare (except for b.barracudacentral.org). I have not felt the need for >> postscreen but of course it is a good tool: I prefer to block by ip last >> and to log helo, envelope sender & recipient as well as client ip. This >> puts a little more load on the server, but information is power. On 24.09.19 07:08, Wietse Venema wrote: >Postscreen logs the helo, sender, recipient, client IP address >and client port when it rejects a connection. ... and dnsblog logs all blacklists the IP was found in. Even more than standard smtpd (which only uses and logs first match). -- Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux is like a teepee: no Windows, no Gates and an apache inside... |
In reply to this post by Wietse Venema
On Tue, 24 Sep 2019 at 12:09, Wietse Venema <[hidden email]> wrote: Dominic Raferd: Thanks - I did not know that, I thought postscreen blocked at early stage before this information had been requested/received. My bad. |
In reply to this post by Wietse Venema
On 24/09/2019 12:08, Wietse Venema wrote: > Dominic Raferd: >> On Tue, 24 Sep 2019 at 11:31, Matus UHLAR - fantomas <[hidden email]> >> wrote: >> >>> On 24.09.19 12:11, Paul van der Vlis wrote: >>>> I am using now much of your setting and it seems to help. Thanks a lot! >>> >>> I would just like to note that all those reject_rbl_client directives are >>> prone to errors when any of those blacklist fails. >> >> >> An occasional individual blacklist lookup failure is not a problem, and is >> rare (except for b.barracudacentral.org). I have not felt the need for >> postscreen but of course it is a good tool: I prefer to block by ip last >> and to log helo, envelope sender & recipient as well as client ip. This >> puts a little more load on the server, but information is power. > > Postscreen logs the helo, sender, recipient, client IP address > and client port when it rejects a connection. > > Wietse > In postscreen I use two access control lists - the first accepts known good mail servers; the second rejects entire "problem" countries - in my case China, North Korea, Brazil, and Eastern Europe. The country list is recompiled every week, and the data comes from www.ipdeny.com. In postfix, messages to a mailing-list identity are refused if they DON'T come from the list-server (or a few whitelisted individuals). Senders see a polite message to contact me on-list. Allen C |
In reply to this post by Paul van der Vlis
> > # reject clients without PTR
> > reject_unknown_reverse_client_hostname FWIW i log/report such things but don't reject; there is some percentage of real email that comes from sources with broken PTR or missing records |
In reply to this post by Dominic Raferd
> On 23 Sep 2019, at 1:59 am, Dominic Raferd <[hidden email]> wrote:
> > On Sun, 22 Sep 2019 at 14:36, Paul van der Vlis <[hidden email]> wrote: >> >> Hello, >> >> I would like some suggestions on how to get less spam, I will paste my >> configuration at the end of the mail. >> >> Maybe somebody with a nice setup could post his/her setup? >> >> As you can see, I am experimenting with reject_unknown_client_hostname. >> What's your opinion about that setting? >> >> I've never used greylisting. Are you using it? > > I have been tweaking my settings for the last three years largely > based on advice from this list. I give below my (slightly simplified) > smtpd_recipient_restrictions settings for unauthenticated connections > (suggestions for improvement very welcome). I also apply some > header_checks and use spamassassin and clamav (via amavis) with some > bespoke rules. > > I think it is inadvisable to use reject_unknown_client_hostname (risk > of fps) but I have found reject_unknown_reverse_client_hostname very > effective. I tried greylisting but gave it up - it isn't necessary and > the delays were very irritating to users (e.g. for password reset > emails). > > smtpd_recipient_restrictions = > reject_unauth_pipelining > > # localfile whitelists > check_sender_access hash:/etc/postfix/sender_access_whitelist > check_client_access hash:/etc/postfix/client_access_whitelist > check_client_access cidr:/etc/postfix/client_access_whitelist.cidr > check_helo_access hash:/etc/postfix/helo_access_whitelist > > # localfile blacklists > check_sender_access hash:/etc/postfix/sender_access > check_client_access hash:/etc/postfix/client_access > check_helo_access hash:/etc/postfix/helo_access > check_sender_access pcre:/etc/postfix/sender_access.pcre > > # reject clients without PTR > reject_unknown_reverse_client_hostname > > # reject clients with dynamic ips > reject_rbl_client dul.dnsbl.sorbs.net=127.0.0.10 > > # rejections based on rbls for helo/sender/reverse_client > reject_rhsbl_helo dbl.spamhaus.org > reject_rhsbl_sender dbl.spamhaus.org > reject_rhsbl_reverse_client dbl.spamhaus.org > reject_rhsbl_sender fresh.fmb.la=127.2.0.[2;14] > > # ip-based remote whitelists > permit_dnswl_client list.dnswl.org=127.0.[0..255].[1..3] > permit_dnswl_client white.uribl.com > permit_dnswl_client hostkarma.junkemailfilter.com=127.0.0.[1;3;5] > > # ip-based remote blacklists > reject_rbl_client zen.spamhaus.org > reject_rbl_client dyna.spamrats.com > reject_rbl_client hostkarma.junkemailfilter.com=127.0.0.2 > reject_rbl_client truncate.gbudb.net > reject_rbl_client dnsbl.cobion.com > reject_rbl_client bl.fmb.la=127.0.0.2 > reject_rbl_client b.barracudacentral.org > https://sourceforge.net/projects/razor/ Do people find it useful? Anyone using it? Seems at bit dated. Thanks, James. |
On Wed, 25 Sep 2019 at 01:04, James Brown <[hidden email]> wrote: Just wondering if it is worth using Razor. I use it as part of Spamassassin (running via Amavis) - it is included in the Ubuntu 'recipe' (https://help.ubuntu.com/community/PostfixAmavisNew). |
Free forum by Nabble | Edit this page |