How to reject bad hosts
in [Postfix]
|
From: "Mark Scholten" on 10 Aug 2010 13:56 > -----Original Message----- > From: owner-postfix-users(a)postfix.org [mailto:owner-postfix- > users(a)postfix.org] On Behalf Of Walter Pinto > Sent: Tuesday, August 10, 2010 1:20 AM > To: postfix users > Subject: Re: How to reject bad hosts > > I also can vouch for policyd-weight , with a bit of configuration it > can be a very useful tool. Combine it with the fail2ban postfix log > wrapper and you're on the right track. Can you share your policyd-weight config file(s)? As I mainly are thinking of cases where some features that are used by default can give problems (HELO/SPF/rDNS/etc. checks). Regards, Mark
From: Walter Pinto on 10 Aug 2010 14:00 Sure, what's the policy on this list for that? Attachment or just copy/paste?
From: Noel Jones on 10 Aug 2010 14:39 On 8/10/2010 1:00 PM, Walter Pinto wrote: > Sure, what's the policy on this list for that? Attachment or just copy/paste? (either a text attachment or a copy/paste is fine.)
From: Walter Pinto on 10 Aug 2010 15:39 I'll provide my config, but keep in mind, the entire process is based on a scoring system which will vary from setup to setup. It's highly likely you will have to tweak the scores based on your specific needs. Below is my config, you can view the default settings by typing 'policyd-weight defaults' at the command line. $DEBUG = 0; # 1 or 0 - don't comment $REJECTMSG = "550 Mail appears to be from a dynamic/residential hostname, the HELO and DNS don't match, or is listed in too many Blacklists"; $REJECTLEVEL = 5.0; # Mails with scores which exceed this $DNSERRMSG = '450 No DNS entries for your MTA, HELO and Domain. Contact YOUR administrator'; ## DNSBL settings @dnsbl_score = ( # HOST, HIT SCORE, MISS SCORE, LOG NAME 'pbl.spamhaus.org', 3.25, 0, 'DYN_PBL_SPAMHAUS', 'sbl-xbl.spamhaus.org', 5.00, -1.5, 'SBL_XBL_SPAMHAUS', 'bl.spamcop.net', 3.25, -1.5, 'SPAMCOP', 'dnsbl.njabl.org', 3.25, -1.5, 'BL_NJABL', ); $MAXDNSBLHITS = 1; # If Client IP is listed in MORE # DNSBLS than this var, it gets # REJECTed immediately $MAXDNSBLSCORE = 6; # alternatively, if the score of # DNSBLs is ABOVE this # level, reject immediately $MAXDNSBLMSG = '550 Your MTA is listed in too many DNSBLs'; ## RHSBL settings @rhsbl_score = ( 'multi.surbl.org', 4, 0, 'SURBL', 'rhsbl.ahbl.org', 4, 0, 'AHBL', 'dbl.spamhaus.org', 4, 0, 'RHSBL_SPAMHAUS', ); $BL_ERROR_SKIP = 2; # skip a RBL if this RBL had this many continuous # errors $BL_SKIP_RELEASE = 10; # skip a RBL for that many times ## cache stuff $LOCKPATH = '/tmp/.policyd-weight/'; # must be a directory (add # trailing slash) $SPATH = $LOCKPATH.'/polw.sock'; # socket path for the cache # daemon. $CACHESIZE = 0; # set to 0 to disable caching for spam results. $POSCACHESIZE = 0; # set to 0 to disable caching of HAM. ## DNS settings $DNS_RETRIES = 2; # Retries for ONE DNS-Lookup $DNS_RETRY_IVAL = 2; # Retry-interval for ONE DNS-Lookup $MAXDNSERR = 3; # max error count for unresponded queries # in a complete policy query $USE_NET_DNS = 0; # Force the usage of Net::DNS for RBL lookups. # Normally policyd-weight tries to use a faster # RBL lookup routine instead of Net::DNS $TRY_BALANCE = 1; # If set to 1 policyd-weight closes connections # to smtpd clients in order to avoid too many # established connections to one policyd-weight # child # scores for checks, WARNING: they may manipulate eachother # or be factors for other scores. # HIT score, MISS Score @client_ip_eq_helo_score = (1.5, -1.25 ); @helo_score = (1.5, -2 ); @helo_from_mx_eq_ip_score = (1.5, -3.1 ); @helo_numeric_score = (2.5, 0 ); @from_match_regex_verified_helo = (1, -2 ); @from_match_regex_unverified_helo = (1.6, -1.5 ); @from_match_regex_failed_helo = (2.5, 0 ); @helo_ip_in_client_subnet = (0, -1.2 ); @helo_ip_in_cl16_subnet = (0, -0.41 ); @from_multiparted = (1.09, 0 ); @from_anon = (1.17, 0 ); @bogus_mx_score = (2.1, 0 ); @random_sender_score = (0.25, 0 ); @rhsbl_penalty_score = (3.1, 0 ); @enforce_dyndns_score = (3, 0 ); # # Syslogging options for verbose mode and for fatal errors. # NOTE: comment out the $syslog_socktype line if syslogging does not # work on your system. # $syslog_socktype = 'unix'; # inet, unix, stream, console $syslog_facility = "mail"; $syslog_options = "pid"; $syslog_priority = "all"; $syslog_ident = "postfix/policyd-weight"; # # Process Options # $USER = "policy"; # User must be a username, no UID $MAX_PROC = 75; # Upper limit if child processes $MIN_PROC = 3; # keep that minimum processes alive $TCP_PORT = 12525; # The TCP port on which policyd-weight listens on $BIND_ADDRESS = '127.0.0.1'; # IP-Address on which policyd-weight will listen $SOMAXCONN = 1024; # Maximum of client connections $CHILDIDLE = 240; # how many seconds a child may be idle before $PIDFILE = "/var/run/policyd-weight.pid";
First
|
Prev
|
Pages: 1 2 Prev: Postfix relay - restrict addresses EXCEPT from specific host Next: postfix load handling |