[PLUG] postfix content_filter AFTER recipient_restrictions?
Rich Shepard
rshepard at appl-ecosys.com
Wed Feb 28 20:25:29 UTC 2007
On Wed, 28 Feb 2007, Kurt Sussman wrote:
> Now I see that I really want to have more control over where in the list
> of restrictions the content_filter falls. E.g. I want to check my sender
> exceptions and rfc822 stuff, THEN apply the content_filter, then check the
> rest of my restrictions.
>
> Is this possible? Hints will be greatly appreciated...
Kurt,
Yes. The order in which the restrictions are listed are the order in which
they are checked. And, that makes a _very_ big difference.
When I tried greylisting, I had the call to the greylist tool high in the
check list. _Every_ message was sent off. Then I moved it to the very end,
and only those that made it past all the other checks were greylisted. (Then
I removed it because it was more of a bother than a help. :-) )
The general idea, IIRC, is to do all your acceptances first (e.g.,
permit_mynetworks), then apply the other filters. I also learned recently
that there are advantages of separating check_client_restrictions prior to
check_sender_restrictions. Even without the greylisting, I'm back down to
perhaps 4 spam per day that plop into my INBOX.
My UCE filters are these; I don't use avavis, but you know where to insert
it in the queue:
smtpd_client_restrictions =
check_client_access hash:/etc/postfix/internal_network,
permit_mynetworks,
#check_sender_access hash:/etc/postfix/sender_no_greylist,
check_client_access hash:/etc/postfix/badaddr,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net,
reject_rbl_client list.dsbl.org,
reject_rhsbl_sender dsn.rfc-ignorant.org,
reject_unknown_reverse_client_hostname,
check_sender_mx_access cidr:/etc/postfix/bogus_mx,
check_sender_access hash:/etc/postfix/rhsbl_sender_exceptions,
check_sender_access hash:/etc/postfix/common_spam_senderdomains,
check_sender_access hash:/etc/postfix/badaddr,
permit
smtpd_recipient_restrictions =
permit_mynetworks,
reject_unauth_destination,
check_recipient_access hash:/etc/postfix/roleaccount_exceptions,
check_recipient_access hash:/etc/postfix/recipients,
check_helo_access pcre:/etc/postfix/helo_checks,
reject_non_fqdn_recipient,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_non_fqdn_hostname,
reject_invalid_hostname,
permit
smtp_data_restrictions =
reject_multi_recipient_bounce
HTH,
Rich
--
Richard B. Shepard, Ph.D. | The Environmental Permitting
Applied Ecosystem Services, Inc. | Accelerator(TM)
<http://www.appl-ecosys.com> Voice: 503-667-4517 Fax: 503-667-8863
More information about the PLUG
mailing list