Postfix“smtpd_recipient_restrictions”的最佳参数设置

Question 1

你的规则顺序是非常不好。如果你想保留所有这些而不添加任何其他内容，则顺序必须是：

smtpd_recipient_restrictions = 
permit_mynetworks, 
permit_sasl_authenticated, 
reject_unauth_pipelining, 
reject_invalid_hostname, 
reject_non_fqdn_sender, 
reject_unknown_sender_domain, 
reject_unauth_destination, 
reject_unknown_recipient_domain, 
reject_rbl_client zen.spamhaus.org,
check_recipient_access proxy:mysql:/etc/postfix/mysql-virtual_recipient.cf, 
reject_non_fqdn_recipient

如果这还不够，那么请postscreen阅读http://www.postfix.org/POSTSCREEN_README.html。

Answer

你的规则顺序是非常不好。如果你想保留所有这些而不添加任何其他内容，则顺序必须是：

smtpd_recipient_restrictions = 
permit_mynetworks, 
permit_sasl_authenticated, 
reject_unauth_pipelining, 
reject_invalid_hostname, 
reject_non_fqdn_sender, 
reject_unknown_sender_domain, 
reject_unauth_destination, 
reject_unknown_recipient_domain, 
reject_rbl_client zen.spamhaus.org,
check_recipient_access proxy:mysql:/etc/postfix/mysql-virtual_recipient.cf, 
reject_non_fqdn_recipient

如果这还不够，那么请postscreen阅读http://www.postfix.org/POSTSCREEN_README.html。

Question 2

我建议使用类似于以下内容的 smtpd_recipient_restrictions：

smtpd_recipient_restrictions = 
  # Whitelisting or blacklisting:
  check_recipient_access proxy:mysql:/etc/postfix/mysql-virtual_recipient.cf,
  # Everyone should play after rules:
  reject_non_fqdn_recipient,
  reject_non_fqdn_sender,
  reject_unknown_recipient_domain,
  reject_unknown_sender_domain,
  reject_unauth_pipelining,
  # Mails from your users:
  permit_mynetworks,
  permit_sasl_authenticated,
  # This will block mails from domains with no reverse DNS record. Will affect both spam and ham mails, but mostly spam. 
  reject_unknown_reverse_client_hostname,
  # Instead of reject_unknown_reverse_client_hostname you can also use reject_unknown_client_hostname, which is an even harder rule. 
  # Reject ugly HELO/EHLO-hostnames (could also affect regular mails):
  reject_non_fqdn_hostname,
  reject_invalid_helo_hostname,
  # Reject everything you're not responsible for:
  reject_unauth_destination,
  # Only take mails for existing accounts:
  reject_unverified_recipient,
  # DNS lookups are "expensive", therefore should be at bottom
  reject_rbl_client zen.spamhaus.org

有关 smtpd_recipient_restrictions 的详细信息可以在这里找到：http://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions

也许你还想使用后灰色，后筛选，后发或者其他一些策略守护进程。

并且还要检查您是否在预排队模式下使用 amavisd-new。

Answer

我建议使用类似于以下内容的 smtpd_recipient_restrictions：

smtpd_recipient_restrictions = 
  # Whitelisting or blacklisting:
  check_recipient_access proxy:mysql:/etc/postfix/mysql-virtual_recipient.cf,
  # Everyone should play after rules:
  reject_non_fqdn_recipient,
  reject_non_fqdn_sender,
  reject_unknown_recipient_domain,
  reject_unknown_sender_domain,
  reject_unauth_pipelining,
  # Mails from your users:
  permit_mynetworks,
  permit_sasl_authenticated,
  # This will block mails from domains with no reverse DNS record. Will affect both spam and ham mails, but mostly spam. 
  reject_unknown_reverse_client_hostname,
  # Instead of reject_unknown_reverse_client_hostname you can also use reject_unknown_client_hostname, which is an even harder rule. 
  # Reject ugly HELO/EHLO-hostnames (could also affect regular mails):
  reject_non_fqdn_hostname,
  reject_invalid_helo_hostname,
  # Reject everything you're not responsible for:
  reject_unauth_destination,
  # Only take mails for existing accounts:
  reject_unverified_recipient,
  # DNS lookups are "expensive", therefore should be at bottom
  reject_rbl_client zen.spamhaus.org

有关 smtpd_recipient_restrictions 的详细信息可以在这里找到：http://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions

也许你还想使用后灰色，后筛选，后发或者其他一些策略守护进程。

并且还要检查您是否在预排队模式下使用 amavisd-new。

Postfix“smtpd_recipient_restrictions”的最佳参数设置

答案1

答案2

相关内容