为Postfix“ smtpd_recipient_restrictions”设置的最佳参数

8

我们已经从另一个ISP继承了DNS,现在我们的邮件服务器每分钟被大约1000封电子邮件轰炸,其中99.99%只是垃圾邮件。我们正试图优化过滤/拒绝垃圾邮件,但运气不好。

您认为最佳设置是smtpd_recipient_restrictions什么?

系统配置:Ubuntu + Amavis + Postfix + MySQL + Fail2Ban-Postfix

任何建议都欢迎!

UDPATE,2012年8月8日

在按照以下方式更改posftix配置并配置Potrgey服务时,垃圾邮件级别下降了10倍

smtpd_recipient_restrictions = 
permit_mynetworks, 
permit_sasl_authenticated, 
reject_non_fqdn_hostname, 
reject_invalid_hostname, 
reject_non_fqdn_sender, 
reject_unknown_sender_domain, 
reject_non_fqdn_recipient, 
reject_unknown_recipient_domain, 
check_policy_service inet:127.0.0.1:10023, 
reject_rbl_client zen.spamhaus.org, 
check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf,
reject_unauth_pipelining, 
reject_unauth_destination

在此处输入图片说明

ubuntu  postfix  spam  spam-filter  amavis 
伊戈尔
source
1
我想购买该域名!请报价。
mailq
您想解决什么?你有什么问题?您只说拒绝垃圾邮件。但这不是问题。这是一个解决方案。
mailq
@mailq:对不起,我很抱歉
Igor,
@mailq:这个想法是更有效地拒绝垃圾邮件,减少系统负载
Igor

Answers:

6

您的规则顺序非常糟糕。如果要保留所有这些内容,而不添加其他任何内容,则顺序必须为:

smtpd_recipient_restrictions = 
permit_mynetworks, 
permit_sasl_authenticated, 
reject_unauth_pipelining, 
reject_invalid_hostname, 
reject_non_fqdn_sender, 
reject_unknown_sender_domain, 
reject_unauth_destination, 
reject_unknown_recipient_domain, 
reject_rbl_client zen.spamhaus.org,
check_recipient_access proxy:mysql:/etc/postfix/mysql-virtual_recipient.cf, 
reject_non_fqdn_recipient

如果仍然是不够的,然后阅读postscreen http://www.postfix.org/POSTSCREEN_README.html中

邮件
source
抱歉,顺序是否重要?从某种意义上说,后缀首先验证“ permit_mynetworks”,最后验证“ reject_non_fqdn_recipient”。
伊戈尔
1
绝对!顺序很重要。从左到右(或从上到下)。如postfix.org/SMTPD_ACCESS_README.html
mailq
5

我建议使用类似于以下内容的smtpd_recipient_restriction:

smtpd_recipient_restricdtions = 
# Whitelisting or blacklisting:
check_recipient_access proxy:mysql:/etc/postfix/mysql-virtual_recipient.cf,
# Everyone should play after rules:
reject_non_fqdn_recipient,
reject_non_fqdn_sender,
reject_unknown_recipient_domain,
reject_unknown_sender_domain,
reject_unauth_pipelining,
# Mails from your users:
permit_mynetworks,
permit_sasl_authenticated,
# This will block mails from domains with no reverse DNS record. Will affect both spam and ham mails, but mostly spam. 
reject_unknown_reverse_client_hostname,
# Instead of reject_unknown_reverse_client_hostname you can also use reject_unknown_client_hostname, which is an even harder rule. 
# Reject ugly HELO/EHLO-hostnames (could also affect regular mails):
reject_non_fqdn_hostname,
reject_invalid_helo_hostname,
# Reject everything you're not responsible for:
reject_unauth_destination,
# Only take mails for existing accounts:
reject_unverified_recipient,
# DNS lookups are "expensive", therefore should be at bottom
reject_rbl_client zen.spamhaus.org

可以在此处找到有关smtpd_recipient_restrictions的详细信息:http : //www.postfix.org/postconf.5.html#smtpd_recipient_restrictions

也许您还想使用postgreypostscreenpostfwd其他一些策略守护程序

并检查您是否在预排队模式下使用了amavisd-new。

直升机
source
这是不好的。第二行阻止任何出站收件人的邮件。因此,您无法将邮件从服务器发送到外界。MySQL查询与DNS查询一样昂贵。因此,您还应该将MySQL查询移到底部。
mailq
By using our site, you acknowledge that you have read and understand our Cookie Policy and Privacy Policy.
Licensed under cc by-sa 3.0 with attribution required.