[PLUG] postfix content_filter AFTER recipient_restrictions?

Rich Shepard rshepard at appl-ecosys.com
Wed Feb 28 20:25:29 UTC 2007 

On Wed, 28 Feb 2007, Kurt Sussman wrote:

> Now I see that I really want to have more control over where in the list
> of restrictions the content_filter falls. E.g. I want to check my sender
> exceptions and rfc822 stuff, THEN apply the content_filter, then check the
> rest of my restrictions.
>
> Is this possible? Hints will be greatly appreciated...

Kurt,

   Yes. The order in which the restrictions are listed are the order in which
they are checked. And, that makes a _very_ big difference.

   When I tried greylisting, I had the call to the greylist tool high in the
check list. _Every_ message was sent off. Then I moved it to the very end,
and only those that made it past all the other checks were greylisted. (Then
I removed it because it was more of a bother than a help. :-) )

   The general idea, IIRC, is to do all your acceptances first (e.g.,
permit_mynetworks), then apply the other filters. I also learned recently
that there are advantages of separating check_client_restrictions prior to
check_sender_restrictions. Even without the greylisting, I'm back down to
perhaps 4 spam per day that plop into my INBOX.

   My UCE filters are these; I don't use avavis, but you know where to insert
it in the queue:

smtpd_client_restrictions =
         check_client_access hash:/etc/postfix/internal_network,
         permit_mynetworks,
         #check_sender_access hash:/etc/postfix/sender_no_greylist,
         check_client_access hash:/etc/postfix/badaddr,
         reject_rbl_client zen.spamhaus.org,
         reject_rbl_client bl.spamcop.net,
         reject_rbl_client list.dsbl.org,
         reject_rhsbl_sender dsn.rfc-ignorant.org,
         reject_unknown_reverse_client_hostname,
         check_sender_mx_access cidr:/etc/postfix/bogus_mx,
         check_sender_access hash:/etc/postfix/rhsbl_sender_exceptions,
         check_sender_access hash:/etc/postfix/common_spam_senderdomains,
         check_sender_access hash:/etc/postfix/badaddr,
         permit

smtpd_recipient_restrictions =
         permit_mynetworks,
         reject_unauth_destination,
         check_recipient_access hash:/etc/postfix/roleaccount_exceptions,
         check_recipient_access hash:/etc/postfix/recipients,
         check_helo_access pcre:/etc/postfix/helo_checks,
         reject_non_fqdn_recipient,
         reject_non_fqdn_sender,
         reject_unknown_sender_domain,
         reject_non_fqdn_hostname,
         reject_invalid_hostname,
         permit

smtp_data_restrictions =
         reject_multi_recipient_bounce

HTH,

Rich

-- 
Richard B. Shepard, Ph.D.               |    The Environmental Permitting
Applied Ecosystem Services, Inc.        |          Accelerator(TM)
<http://www.appl-ecosys.com>     Voice: 503-667-4517      Fax: 503-667-8863

More information about the PLUG mailing list