From owner-freebsd-questions@FreeBSD.ORG Fri May 26 15:12:48 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AB79016A505 for ; Fri, 26 May 2006 15:12:48 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from pi.codefab.com (pi.codefab.com [199.103.21.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3C00843D48 for ; Fri, 26 May 2006 15:12:48 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from localhost (localhost [127.0.0.1]) by pi.codefab.com (Postfix) with ESMTP id 8CD4E5FDC; Fri, 26 May 2006 11:12:47 -0400 (EDT) X-Virus-Scanned: amavisd-new at codefab.com Received: from pi.codefab.com ([127.0.0.1]) by localhost (pi.codefab.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I1A+ds+rFIyT; Fri, 26 May 2006 11:12:46 -0400 (EDT) Received: from [192.168.1.251] (pool-68-160-242-211.ny325.east.verizon.net [68.160.242.211]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by pi.codefab.com (Postfix) with ESMTP id 99BD45DF3; Fri, 26 May 2006 11:12:45 -0400 (EDT) Message-ID: <44771AEA.8050903@mac.com> Date: Fri, 26 May 2006 11:12:42 -0400 From: Chuck Swiger User-Agent: Thunderbird 1.5.0.2 (Windows/20060308) MIME-Version: 1.0 To: =?ISO-8859-1?Q?Nagy_L=E1szl=F3_Zsolt?= References: <44758A50.10405@messias.qhigh.com> <4475B128.5000607@mac.com> <4475B385.1080502@mikestammer.com> <0B01D3D5-F9D5-4E7B-A63B-E7933205B9B4@mac.com> <44771817.7050002@freemail.hu> In-Reply-To: <44771817.7050002@freemail.hu> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-questions@freebsd.org Subject: Re: Strange messages in mail queue X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 May 2006 15:12:55 -0000 Nagy László Zsolt wrote: > Charles Swiger írta: >> Yes, well, that question implies the right direction for a solution: >> you want to reject spam before trying to deliver it, rather than >> accepting it and then being responsible for bouncing it back. > I'm using postfix (the most up to date version from the ports tree). I > did not know that it is bouncing back automatically. :-) How can I > reject those emails before accepting them? I need to whole body of the > message before I can classify it. Are there any other options? You can block a lot of spam before accepting by various changes to Postfix's main.cf file, as well as by installing the postgrey port, however, you're right that the standard content-filter mechanism (via content_filter or check_policy_service) needs to get the whole body of the message before it can be classified. Perhaps the following snippets will give you some ideas: [ ...main.cf... ] # readme_directory: The location of the Postfix README files. # readme_directory = no # amavisd filtering... content_filter=scan:[127.0.0.1]:10024 # sasl config broken_sasl_auth_clients = yes smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = codefab.com # tls config smtp_use_tls = yes smtpd_use_tls = yes smtp_tls_note_starttls_offer = yes smtpd_tls_key_file = /usr/local/etc/postfix/smtpd.pem smtpd_tls_cert_file = /usr/local/etc/postfix/smtpd.pem smtpd_tls_CAfile = /usr/local/etc/postfix/smtpd.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom smtpd_helo_required = yes strict_rfc821_envelopes = yes smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks smtpd_recipient_restrictions = permit_sasl_authenticated, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, permit_mynetworks, reject_unauth_destination, check_helo_access hash:/usr/local/etc/postfix/helo_checks, check_recipient_access pcre:/usr/local/etc/postfix/recipient_checks.pcre, check_policy_service inet:127.0.0.1:10023, permit smtpd_client_restrictions = check_client_access hash:/usr/local/etc/postfix/access % cat helo_checks localhost REJECT You are not localhost. 199.103.21.227 REJECT You are not my IP, go away. codefab.com REJECT You are not in my domain. 217.9.41.138 REJECT 456 "Stop bouncing forged spam mail to us!" % cat recipient_checks.pcre # Note: You must have PCRE support support built in to Postfix at # compile time to use this. (Tho I've been told the following are # valid POSIX RE's ["regexp:" map type], as well.) # # Postfix doesn't relay by default. But it may *appear* to do so # to some testers. The first two statements below remove all # doubt. /^\@/ 550 Invalid address format. /[!%\@].*\@/ 550 This server disallows weird address syntax. # Let email to the following destinations bypass all the remaining # "reject" and "check" tests. We always want to let email for these # recipients in. /^postmaster\@/ OK /^abuse\@/ OK # Note: The "OK"s above, for postmaster, etc., will *not* # bypass header and body checks. There is currently no way # to do so with Postfix :( # # Remember where I said, at the very beginning, about how # order is important? Whatever you do, do *not* place an # access map like this one before the "permit mynetworks" # and "reject_unauth_destination" statements. Not unless # you want to be an open relay, anyway. [ ... ]