On Mon, 2004-06-28 at 11:04, Cowles, Steve wrote: > Travis Fraser wrote: > > Steve, > > > > If I might ask, what do you configure in main.cf to achieve what you > > described above? > > > > Travis Fraser > > 1) In main.cf I set the variable "mynetworks" to be: > > mynetworks=192.168.8.0/22, 127.0.0.1 > > Note: The /22 is summarized to encompass my DMZ network, protected LAN and > stub (wireless) networks. > > 2) Then in /etc/postfix/access, I add a REJECT for each of my registered > domains: > > mydomain.com REJECT You are not from mydomain.com > mydomain1.com REJECT You are not from mydomain1.com > Etc... > > 3) Then I define a very specific order for smtpd_recipient_restrictions: > > smtpd_recipient_restrictions = > permit_mynetworks > permit_sasl_authenticated > reject_unauth_destination > [trim] More rejects.... > check_sender_access hash:/etc/postfix/access > [trim] More rejects and call to spamassassin. > permit > > Note that permit_mynetworks is listed first, then authenticated users, > followed by a bunch of other postfix tests, then the check_sender_access > which references the /etc/mail/access file. The order in which these tests > are listed is critical. In short, I'm trying to save CPU cycles by: > > 1) Rejecting prior to the data portion of the e-mail. No bounces > 2) Reject prior to postfix submitting to its queue. No bounces > 2) Rejecting inbound e-mail before calling Spamassassin. No bounces > > The header checks are even easier to implement, but BE CAREFUL. You might > want to setup a test system prior to implementing any of these tests on a > live server. In fact, I would recommend that you setup a test system before > implementing the mail from test listed above. With that in mind... > > 1) In main.cf, I add: > header_checks = regexp:/etc/postfix/header_checks > body_checks = regexp:/etc/postfix/body_checks > > 2) In /etc/postfix/header_checks > > /^(From|Return-Path):.*[:<:](spamtrap@mydomain\.com)[:>:]/ > REJECT Forged sender address in $1: message header: $2 > > The above regexp would reject the following header from address (not the > mail from) like: > > From: Steve Cowles <spamtrap@xxxxxxxxxxx> > Return-Path: Steve Cowles <spamtrap@xxxxxxxxxxx> > or > From: Byte Me <spamtrap@xxxxxxxxxxxx> > > Note: If your more comfortable using perl regexp syntax, then you can > specify: > header_checks = pcre:/etc/postfix/header_checks.pcre > > But I had to recompile postfix to support pcre syntax. > > Good luck! And BE CAREFUL. What I'm showing is NOT for the newbie e-mail > admin to implement. One false move and you will start rejecting legitimate > e-mail when that was not your original intent. > > Steve Cowles > Thank you for the smtpd_recipient_restrictions information. I have been using Postfix on a test network first, as you suggest. As far as implementing SpamAssassin with Postfix, I was looking at Mailscanner or amavisd-new. Do you have a simpler suggestion for calling SA from within the recipient_restrictions checks? Thanks, Travis Fraser
