Views
From digital-bit.ch's wiki
some postfix antispam measures
just snippets and ideas, compile checkfiles with postmap
- outline of postfix main.cf
smtpd_timeout = 30s
smtpd_client_connection_count_limit = 20
smtpd_helo_required = yes
smtpd_delay_reject = yes
disable_vrfy_command = yes
smtpd_helo_restrictions = permit_sasl_authenticated,
reject_invalid_hostname,
reject_unknown_hostname,
reject_non_fqdn_hostname
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_client_restrictions = permit_mynetworks,
permit_sasl_authenticated,
check_client_access regexp:/etc/postfix/white_list
check_client_access regexp:/etc/postfix/rejections
check_client_access cidr:/etc/postfix/spamranges.cidr
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
check_helo_access hash:/etc/postfix/helo_checks,
check_sender_access hash:/etc/postfix/sender_checks,
reject_rbl_client zen.spamhaus.org,
reject_unauth_destination,
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
permit
- /etc/postfix/helo_checks (postmap this file)
mail.yourdomain.tld REJECT don't try to be like me I am evil mail.yourdomain2.tld REJECT don't try to be like me I am evil 1.2.3.4 REJECT don't try to be like me I am evil localhost REJECT Look into your own mirror
- /etc/postfix/spamranges.cidr
109.191.0.0/17 554 eat my shorts 109.230.0.0/21 554 eat my shorts 193.169.180.0/23 554 eat my shorts 193.239.4.0/22 554 eat my shorts 217.148.237.0/24 eat my shorts 62.27.38.0/24 554 eat my shorts 62.27.57.0/24 554 eat my shorts 62.93.26.0/23 554 eat my shorts 78.47.227.0/26 554 eat my shorts 82.98.93.0/24 554 eat my shorts 91.184.32.0/19 554 eat my shorts 95.104.192.0/21 554 eat my shorts 95.130.124.0/22 554 eat my shorts 95.181.0.0/17 554 eat my shorts 92.244.224.0/21 554 eat my shorts 46.16.23.0/26 554 eat my shorts 131.91.0.0/16 554 eat my shorts 46.16.23.64/26 554 eat my shorts 89.230.68.0/22 554 eat my shorts 89.230.72.0/21 554 eat my shorts 77.65.64.0/21 554 eat my shorts 67.62.0.0/16 554 eat my shorts 210.54.141.0/24 554 eat my shorts
- /etc/postfix/white_list
/\.google\.com$/ OK /\.hotmail\.com$/ OK /\.data-hotel\.net$/ OK /\.yahoo\.co\.jp$/ OK /\.yahoo\.com$/ OK /\.mixi\.jp$/ OK /\.m2\.home\.ne\.jp$/ OK /\.softbank\.ne\.jp$/ OK /\.ezweb\.ne\.jp$/ OK /\.verisign\.net$/ OK /\.kasserver\.com$/ OK /\.ipxserver\.de$/ OK /\.stratoserver\.net$/ OK /\.innovasoft\.es$/ OK /\.vserver\.softronics\.ch$/ OK /\.serverkompetenz\.net$/ OK /\.stratoserver\.net$/ OK /\.netzquadrat\.net$/ OK /\.onlinehome\-server\.info$/ OK /\.blackberry\.com$/ OK /\.amazon\.com$/ OK /\.clients.your\-server\.de$/ OK /\.att\-webhosting\.com$/ OK
- /usr/sbin/whitelister.sh
#!/bin/bash # DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE # Version 2, December 2004 # very simple whitelist updater for S25R system # written by Milan Berger (m.berger@ghcif.de) curl -s http://www.gabacho-net.jp/en/anti-spam/white-list.txt | grep -v \#| sed '/^$/d' > /tmp/newwhite mv /etc/postfix/white_list /etc/postfix/white_list.1 cat /etc/postfix/white_list.1 /tmp/newwhite > /tmp/white_list_unsorted sort -n /tmp/white_list_unsorted | uniq > /etc/postfix/white_list
- /etc/postfix/rejections
# S25R client permission specifications for Postfix # Contributed by ASAMI Hideo (Japan), Jun 2004; Jul 2007 # Refer to: http://www.gabacho-net.jp/en/anti-spam/ # pr86.internetdsl.tpnet.pl # fq217.neoplus.adsl.tpnet.pl # pa148.braniewo.sdi.tpnet.pl /\.(internetdsl|adsl|sdi)\.tpnet\.pl$/ 554 no DSL senders allowed # # user-0cetcbr.cable.mindspring.com # user-vc8fldi.biz.mindspring.com /^user.+\.mindspring\.com$/ 554 no DSL senders allowed # # c9531ecc.virtua.com.br (hexadecimal used) # c9066a60.static.spo.virtua.com.br (hexadecimal used) /^[0-9a-f]{8}\.(.+\.)?virtua\.com\.br$/ 554 no DSL senders allowed # # catv-5984bdee.catv.broadband.hu (hexadecimal used) /\.catv\.broadband\.hu$/ 554 no DSL senders allowed # # Edc3e.e.pppool.de # BAA1408.baa.pppool.de /[0-9a-f]{4}\.[a-z]+\.pppool\.de$/ 554 no DSL senders allowed # # pD9EB80CB.dip0.t-ipconnect.de (hexadecimal used) /\.dip[0-9]+\.t-ipconnect\.de$/ 554 no DSL senders allowed # # pD9E799A1.dip.t-dialin.net (hexadecimal used) /\.dip\.t-dialin\.net$/ 554 no DSL senders allowed # # ool-43511bdc.dyn.optonline.net (hexadecimal used) /\.dyn\.optonline\.net$/ 554 no DSL senders allowed # # rt-dkz-1699.adsl.wanadoo.nl # c3eea5738.cable.wanadoo.nl (hexadecimal used) /\.(adsl|cable)\.wanadoo\.nl$/ 554 no DSL senders allowed # # ACBBD419.ipt.aol.com (hexadecimal used) /\.ipt\.aol\.com$/ 554 no DSL senders allowed # # *** GENERIC PROTECTION *** # # [rule 0] #/^unknown$/ 450 reverse lookup failure, be patient # # [rule 1] # ex.: evrtwa1-ar3-4-65-157-048.evrtwa1.dsl-verizon.net # ex.: a12a190.neo.rr.com /^[^.]*[0-9][^0-9.]+[0-9].*\./ 554 no DSL senders allowed # # [rule 2] # ex.: pcp04083532pcs.levtwn01.pa.comcast.net /^[^.]*[0-9]{5}/ 554 no DSL senders allowed # # [rule 3] # ex.: 398pkj.cm.chello.no # ex.: host.101.169.23.62.rev.coltfrance.com /^([^.]+\.)?[0-9][^.]*\.[^.]+\..+\.[a-z]/ 554 no DSL senders allowed # # [rule 4] # ex.: wbar9.chi1-4-11-085-222.dsl-verizon.net /^[^.]*[0-9]\.[^.]*[0-9]-[0-9]/ 554 no DSL senders allowed # # [rule 5] # ex.: d5.GtokyoFL27.vectant.ne.jp /^[^.]*[0-9]\.[^.]*[0-9]\.[^.]+\..+\./ 554 no DSL senders allowed # # [rule 6] # ex.: dhcp0339.vpm.resnet.group.upenn.edu # ex.: dialupM107.ptld.uswest.net # ex.: PPPbf708.tokyo-ip.dti.ne.jp # ex.: dsl411.rbh-brktel.pppoe.execulink.com # ex.: adsl-1415.camtel.net # ex.: xdsl-5790.lubin.dialog.net.pl /^(dhcp|dialup|ppp|[achrsvx]?dsl)[^.]*[0-9]/ 554 no DSL senders allowed
BlogMarks
del.icio.us
digg
Slashdot
