l i n u x - u s e r s - g r o u p - o f - d a v i s
Next Meeting:
February 3: Social gathering
Next Installfest:
Latest News:
Jan. 2: Happy new year! LUGOD turns 16!
Page last updated:
2004 Apr 21 09:37

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
[vox-tech] postfix question
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[vox-tech] postfix question

Hi all,

Spam has been sapping my productivity again, so I took a few hours out
to try to fix the problem.

Based on previous messages on vox-tech and some articles I've read, I
switched over from exim3 to postfix 2.0.16.

Here's what i've added to /etc/postfix/main.cf:

   # By default, smtpd_client_restrictions is applied at the RCPT TO
   # command.  To have the restriction take effect ASAP, do this (may
   # cause unexpected results with poorly impolemented client software):
   smtpd_delay_reject = no

   # Require HELO/EHLO, and disable VRFY. 
   smtpd_helo_required = yes
   disable_vrfy_command = yes

   # This restricts what clients this system accepts SMTP connections from.
   smtpd_client_restrictions =
(2)   reject_non_fqdn_sender,
(3)   reject_non_fqdn_recipient,
(1)   check_helo_access hash:/etc/postfix/helo_checks,
      reject_rbl_client bl.spamcop.net,
      reject_rbl_client list.dsbl.org,
      reject_rbl_client relays.ordb.org,
      reject_rbl_client cbl.abuseat.org
      reject_rbl_client sbl.spamhaus.org,
      reject_rbl_client opm.blitzed.org,
      reject_rbl_client dul.dnsbl.sorbs.net,

   smtpd_data_restrictions =

Here's /etc/postfix/helo_checks:

   dirac.org      REJECT You are not in dirac.org.  Go away, spammer.
   www.dirac.org  REJECT You are not in dirac.org.  Go away, spammer.
   mail.dirac.org REJECT You are not in dirac.org.  Go away, spammer.
   localhost      REJECT You are not my localhost.  Go away, spammer.

I compiled helo_checks with "postmap helo_checks" and restarted postfix.
The error/warn logs didn't indicate any problems.

The RBL checks work (boy, do they work!):

   Apr 21 07:31:45 gabriel postfix/smtpd[2375]: NOQUEUE: reject: CONNECT
   from WLL-2 5-pppoe180.t-net.net.ve[]: 554 Service
   unavailable; Client host [] blocked using list.dsbl.org;
   http://dsbl.org/listing?ip=200.31.13 9.180; proto=SMTP

However, I wrote myself an email from a foreign host:

     lifshitz.ucdavis.edu$ telnet dirac.org 25
     Connected to adsl-64-142-25-39.sonic.net (
     Escape character is '^]'.
     220 gabriel.localdomain ESMTP Postfix (Debian/GNU)
(1)  helo localhost
     250 gabriel.localdomain
(2)  mail from: blah.foo.bar
     250 Ok
(3)  rcpt to: p
     250 Ok
     354 End data with <CR><LF>.<CR><LF>
     250 Ok: queued as C4AA03DC1
     221 Bye

This violates a few spam controls that should be in place.

1. I used "helo localhost" from a host not on my local subnet, yet
   postfix accepted it, in violation of (1) above.

2. mail from was not a FQDN sender, in violation of (2).

3. rcpt to: was not a FQDN recipient, in violation of (3).

I haven't gotten any spam in the past few minutes, so the RBLs are doing
a good job, but I do want my other spam controls to work.  If something
is wrong with how I configured postfix, I'd like to know. 

Any ideas on why those 3 checks seem to be ignored by postfix?


Make everything as simple as possible, but no simpler.  -- Albert Einstein
GPG Instructions: http://www.dirac.org/linux/gpg
GPG Fingerprint: B9F1 6CF3 47C4 7CD8 D33E 70A9 A3B9 1945 67EA 951D
vox-tech mailing list

LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
O'Reilly and Associates
For numerous book donations.