[PLUG] email over the Internet...

plug_0 at robinson-west.com plug_0 at robinson-west.com
Sat Oct 7 04:34:26 UTC 2006 

Working with a seller on ebay, he said I bounced 2 of his emails to me.

I greylist, what else can I do to avoid having to content filter the 
junk any random zombie on the Net tries to throw at me?

According to postconf mail_version:
mail_version = 2.1.1



I use postfix on a mail relay, my main.cf follows with comments embedded:

queue_directory = /var/spool/relay_spool
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix

mail_owner = postfix

default_privs = nobody

canonical_maps=hash:/etc/postfix/canonical

mydomain=robinson-west.com

myorigin=$mydomain

inet_interfaces = 209.210.202.170, 127.0.0.1

mydestination=
local_recipient_maps=
local_transport= error:local delivery is disabled

virtual_alias_maps=hash:/etc/postfix/virtual

mynetworks=127.0.0.0/8, 209.210.202.168/29
relay_domains = $mydomain, goose.$mydomain
parent_domain_matches_subdomains =
    debug_peer_list smtpd_access_maps

relay_recipient_maps=hash:/etc/postfix/relay_recipients
transport_maps=hash:/etc/postfix/transport

in_flow_delay = 1s

smtpd_banner = $myhostname ESMTP $mail_name

# What should smtpd_banner be and why does postfix allow flexibility here?
# What is in_flow_delay for and what should it be set to?



smtpd_delay_reject = yes

smtpd_helo_required=yes

disable_vrfy_command=yes

smtpd_reject_unlisted_sender=yes

# I don't understand smtpd_delay_reject, help.

# Why does postfix need smtpd_helo_required?  Isn't this standard behavior for
# the (e)smtp protocol?  What does smtp_helo_required do and will the helo 
# address ever be used in a standard way?

# I don't understand what verify is about at all.

# I am assuming the smtpd_reject_unlisted_sender is for the greylisting, spf,
# and blacklisting rules that follow as a sort of default policy.



smtpd_helo_restrictions= check_helo_access hash:/etc/postfix/access,
                         check_helo_access hash:/etc/postfix/invalid_helo,
                         reject_invalid_hostname,
                         reject_non_fqdn_hostname,
                         reject_unknown_hostname,
                         permit_mynetworks

# Again, is any standard followed on the Internet for the helo address?  The 
# above rules are recommended in a lot of postfix documentation, but these 
# rules appear to be for a standard that isn't adhered to.  The invalid_helo 
# file is just a way to prevent mail coming in on my server that claims to be 
# from the server itself.  Is a requirement that a fully qualified domain 
# name match the helo string not adhered to?  How about the unknown hostname
# and invalid hostname rules, are they RFC and standard practices compatible?



smtpd_recipient_restrictions =
            check_sender_access hash:/etc/postfix/whitelist,
                                     reject_non_fqdn_sender,
                                  reject_non_fqdn_recipient,
                               reject_unknown_sender_domain,
                            reject_unknown_recipient_domain,
                                          permit_mynetworks,
                                  reject_unauth_destination,
               check_policy_service unix:private/policy-spf,
        check_sender_access hash:/etc/postfix/sender_access,
                                  reject_unlisted_recipient,
          check_policy_service unix:private/policy-greylist,
                           reject_rbl_client dnsbl.ahbl.org,
                          reject_rbl_client opm.blitzed.org,
                            reject_rbl_client list.dsbl.org,
                           reject_rbl_client hil.habeas.com,
                           reject_rbl_client bl.spamcop.net,
                         reject_rbl_client psbl.surriel.com,
                          reject_rbl_client cbl.abuseat.org,
                          reject_rbl_client dnsbl.sorbs.net,
               reject_rhsbl_sender bogusmx.rfc-ignorant.com,
                reject_rhsbl_sender bulk.rhs.mailpolice.com,
                reject_rhsbl_sender porn.rhs.mailpolice.com,
                   reject_rhsbl_sender dsn.rfc-ignorant.org,
            reject_rhsbl_sender postmaster.rfc-ignorant.org,
                 reject_rhsbl_sender abuse.rfc-ignorant.org,
                 reject_rhsbl_sender whois.rfc-ignorant.org,
                                                     permit

# In this section, I created a whitelist of email source addresses
# that I want to short circuit the greylist and SPF checks for because
# letting email in from certain legit sources is more important than 
# blocking someone trying to spoof those sources.  The rfc-ignorant
# lines have been a problem at times.  A lot of sites seem to
# have abandoned: postmaster, abuse, and whois.  Another question, is
# every legit email server on the Internet going to be fully qualified
# so that I can get past reject_non_fqdn_sender, etc.?
#
# With the inability to control your own PTR zone if you have a subnet
# and a shortage of IP blocks, reverse lookups on a hostname can fail
# to match a hostname.  Worse, not everyone is in whois.  PTR records
# should be 1 to many mappings and PTR zones should be able to cover
# subnets of any size in my opinion.  The maximum number of names that 
# can be mapped to an ip address should be rigidly defined.  Why when 
# dns was set up were PTR zones not supported in the same fashion that 
# forward zones are?  Why can I point forward lookups but not reverse 
# lookups to my own subnet for a domain I control?



policy_time_limit = 60 

# Is this how long I greylist for???



smtpd_sender_restrictions = reject_unknown_sender_domain

# What part of the mail header does the following deal with?
 


smtpd_client_restrictions = reject_unauth_pipelining,
                            permit_mynetworks

# What is pipelining???



smtpd_restriction_classes = local_only
local_only =
    check_recipient_access hash:/etc/postfix/local_domains, reject

# Do the latter rules mean that only local sources can send email or do
# they mean that only local sources can receive email via my server???



sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-1.1.7/samples
readme_directory = /etc/postfix/README_FILES

# Does postfix actually use these paths which hopefully aren't compiled in???



unknown_local_recipient_reject_code = 550
unknown_relay_recipient_reject_code = 550
defer_code = 450
invalid_hostname_reject_code = 501
maps_rbl_reject_code = 554
non_fqdn_reject_code = 504
reject_code = 554
relay_domains_reject_code = 554
unknown_address_reject_code = 450
unknown_client_reject_code = 450
unknown_hostname_reject_code = 450
multi_recipient_bounce_reject_code = 550

# Aren't the latter smtp code definitions part of the (e)smtp definition?
# Why does postfix let me set them???  What should they be set to???



html_directory = no

# Uhm, what does html have to do with postfix???

-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/

More information about the PLUG mailing list