Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 26 May 2006 11:12:42 -0400
From:      Chuck Swiger <cswiger@mac.com>
To:        =?ISO-8859-1?Q?Nagy_L=E1szl=F3_Zsolt?= <nagylzs@freemail.hu>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Strange messages in mail queue
Message-ID:  <44771AEA.8050903@mac.com>
In-Reply-To: <44771817.7050002@freemail.hu>
References:  <44758A50.10405@messias.qhigh.com> <4475B128.5000607@mac.com> <4475B385.1080502@mikestammer.com> <0B01D3D5-F9D5-4E7B-A63B-E7933205B9B4@mac.com> <44771817.7050002@freemail.hu>

next in thread | previous in thread | raw e-mail | index | archive | help
Nagy László Zsolt wrote:
> Charles Swiger írta:
>> Yes, well, that question implies the right direction for a solution: 
>> you want to reject spam before trying to deliver it, rather than 
>> accepting it and then being responsible for bouncing it back.
> I'm using postfix (the most up to date version from the ports tree). I 
> did not know that it is bouncing back automatically. :-)  How can I 
> reject those emails before accepting them? I need to whole body of the 
> message before I can classify it. Are there any other options?

You can block a lot of spam before accepting by various changes to 
Postfix's main.cf file, as well as by installing the postgrey port, 
however, you're right that the standard content-filter mechanism (via 
content_filter or check_policy_service) needs to get the whole body of 
the message before it can be classified.

Perhaps the following snippets will give you some ideas:

[ ...main.cf... ]
# readme_directory: The location of the Postfix README files.
#
readme_directory = no

# amavisd filtering...
content_filter=scan:[127.0.0.1]:10024

# sasl config
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = codefab.com

# tls config
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /usr/local/etc/postfix/smtpd.pem
smtpd_tls_cert_file = /usr/local/etc/postfix/smtpd.pem
smtpd_tls_CAfile = /usr/local/etc/postfix/smtpd.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

smtpd_helo_required = yes
strict_rfc821_envelopes = yes
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks
smtpd_recipient_restrictions = permit_sasl_authenticated,
        reject_invalid_hostname,
        reject_non_fqdn_hostname,
        reject_non_fqdn_sender,
        reject_non_fqdn_recipient,
        reject_unknown_sender_domain,
        reject_unknown_recipient_domain,
        permit_mynetworks,
        reject_unauth_destination,
        check_helo_access hash:/usr/local/etc/postfix/helo_checks,
        check_recipient_access 
pcre:/usr/local/etc/postfix/recipient_checks.pcre,
        check_policy_service inet:127.0.0.1:10023,
        permit

smtpd_client_restrictions =
        check_client_access hash:/usr/local/etc/postfix/access

% cat helo_checks
localhost       REJECT You are not localhost.
199.103.21.227  REJECT You are not my IP, go away.
codefab.com     REJECT You are not in my domain.
217.9.41.138    REJECT 456 "Stop bouncing forged spam mail to us!"

% cat recipient_checks.pcre
# Note: You must have PCRE support support built in to Postfix at
# compile time to use this.  (Tho I've been told the following are
# valid POSIX RE's ["regexp:" map type], as well.)
#
# Postfix doesn't relay by default.  But it may *appear* to do so
# to some testers.  The first two statements below remove all
# doubt.

/^\@/           550 Invalid address format.
/[!%\@].*\@/    550 This server disallows weird address syntax.

# Let email to the following destinations bypass all the remaining
# "reject" and "check" tests.  We always want to let email for these
# recipients in.

/^postmaster\@/ OK
/^abuse\@/      OK

# Note: The "OK"s above, for postmaster, etc., will *not*
# bypass header and body checks.  There is currently no way
# to do so with Postfix :(
#
# Remember where I said, at the very beginning, about how
# order is important?  Whatever you do, do *not* place an
# access map like this one before the "permit mynetworks"
# and "reject_unauth_destination" statements.  Not unless
# you want to be an open relay, anyway.
[ ... ]




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44771AEA.8050903>