Mailing List SIMS@mail.stalker.com Message #15114
From: Lewis Butler <lbutler@covisp.net>
Subject: Re: A bit off-topic : postfix
Date: Tue, 13 Sep 2005 13:38:52 -0600
To: SIMS Discussions <SIMS@mail.stalker.com>
X-Mailer: Apple Mail (2.734)
On 12 Sep 2005, at 07:34 , Alexandre Lollini wrote:
So, how do I set up in postfix the RBLs and spamtraps ?

Spamtraps: no.

rbls:

smtpd_recipient_restrictions =
  check_client_access hash:/usr/local/etc/postfix/pop-before-smtp,
  reject_invalid_hostname,
  reject_non_fqdn_sender,
  reject_non_fqdn_recipient,
  reject_unknown_sender_domain,
  reject_unknown_recipient_domain,
  reject_unauth_pipelining,
  permit_mynetworks,
  permit_sasl_authenticated,
  reject_unauth_destination,
  check_recipient_access pcre:/usr/local/etc/postfix/recipient_checks.pcre,
  check_policy_service inet:127.0.0.1:10023
  check_client_access hash:/usr/local/etc/postfix/access,
  check_sender_access hash:/usr/local/etc/postfix/banned_addrs,
  reject_rbl_client sbl-xbl.spamhaus.org
  reject_rbl_client cn.rbl.cluecentral.net
  reject_rbl_client kr.rbl.cluecentral.net
  permit


you don't need all of those, but you need permit_mynetworks before the checks, and you need permit last.

basically, it's logical.  A new message comes in (or goes out)

check if the IP has been logged into with a password (unnecessary unless you have remote users).

    the rejects are pretty self explanatory but for the last which
    means to reject when the client sends the SMTP commands without
    waiting for a status reply from the previous command.


permit local IPs
permit anyone who authenticated via sasl

reject relay addresses and compound addresses (user@server1.tld@server2.tld)

check a cpre expression in the file "recipient_checks.pcre"

    /^\@/   550 Invalid address format.
    /[!%\@].*\@/ 550 This server disallows weird address syntax.
    /^postmaster\@/ OK
    /^hostmaster\@/ OK
    /^abuse\@/ OK

this file allows the postmaster hostmaster and abuse addresses through and has another check (redundant, I think) fr malformed addresses.

the policy check is postgrey, a greylisting service

then check the access table, any specifically banned addresses, and finally rbls.  If nothing ends up matching, allow the mail.

--
Lewis Butler, Owner Covisp.net
240 S Broadway #203, 80209
mobile: 303.564.2512  fx: 303.282.1515
AIM/ichat: covisp xdi: http://public.xdi.org/=lewisbutler


Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster