From: "Steffan A. Cline" on
I am using postfix with Virtualmin and am trying to follow numerous
tutorials on spam prevention/handling. I have tried to apply the following
to the postfix main.cf file.

smtpd_delay_reject = yes

smtpd_helo_required = yes

smtpd_helo_restrictions =
permit_mynetworks,
reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname,
permit

#check_helo_access hash:/usr/local/etc/postfix/helo_access,

smtpd_sender_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_unauth_destination,
permit

smtpd_recipient_restrictions =
reject_unauth_pipelining,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
permit

#check_policy_service unix:postgrey/socket,
#check_policy_service unix:private/spfpolicy
#check_policy_service inet:127.0.0.1:10023
#reject_rbl_client relays.ordb.org,
#reject_rbl_client list.dsbl.org,
#reject_rbl_client sbl-xbl.spamhaus.org,
#check_sender_access hash:/etc/postfix/sender_access,
#check_recipient_access hash:/etc/postfix/recipient_access,

smtpd_client_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_rbl_client bl.spamcop.net,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client dnsbl.sorbs.net,
permit

The items that are commented out are of concern. I cannot figure out how to
set them right. I have the rbl in the client_restrictions but online the
examples show in the recipient. Which is it? client or recipient?

Also, is there a good tutorial on configuring the HELO access file? I am
migrating from Eudora Internet Mail Server and have some nice HELO rules set
up there to catch a bunch of spam. I'd like to incorporate them into the
postfix setup.

For the HELO:
does not contain .
starts with [
contains .dynamic.
contains .adsl.
ends with .airtelbroadband.in
is speedtouch.lan
is gmail.com
contains .pool.
starts with adsl-
is dsldevice.lan
contains .dsl.

Expressions for a few of the top expressions:
Typical names for household connections contain a name followed by an ip
(dashed or dotted)
[a-zA-Z_-][0-9]{1,3}-[0-9]{1,3}-[0-9]{1,3}-[0-9]{1,3}.
[a-zA-Z_-][0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.

Plain IP number without [ ]:
[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}

With the spf handling, I keep seeing mention of a file that I am supposed to
have but it was not included in the install of CentOS 5. smtpd-policy.pl is
the file that everyone mentions I need for the SPF but it's no where to be
found and I did not see anywhere online to download this. In one spot, I saw
mention that it is not needed. Which is it? Is it worth it?

I have postgrey installed via yum. Does anyone know how to make all this
work? It seems it would be optimal setup for spam prevention.


It's a long post. Sorry.

Thanks

Steffan

---------------------------------------------------------------
T E L 6 0 2 . 7 9 3 . 0 0 1 4 | F A X 6 0 2 . 9 7 1 . 1 6 9 4
Steffan A. Cline
Steffan(a)ExecuChoice.net Phoenix, Az
http://www.ExecuChoice.net USA
AIM : SteffanC ICQ : 57234309
YAHOO : Steffan_Cline MSN : steffan(a)hldns.com
GOOGLE: Steffan.Cline Lasso Partner Alliance Member
---------------------------------------------------------------

From: Stan Hoeppner on
Steffan A. Cline put forth on 6/22/2010 8:01 PM:

> It's a long post. Sorry.

Yeah, it was long, and probably overly ambitious for a single thread topic.
Instead of addressing your questions about individual main.cf parameter
settings and policy services, I'm going to make a few suggestions which should
give you a good start on rejecting most spam.

1. Keep your configuration as streamlined and simple as possible
2. Put all your restrictions under smtpd_recipient_restrictions
3. Use the regexp table I'm providing at the link far below
4. Use dnsbl queries selectively (why they're at the bottom)
5. Use only selective greylisting with postgrey (why it's last)

Here's a sample smtpd_recipient_restrictions section you could start with,
good with IIRC Postfix 2.3 and later. But first:

smtpd_delay_reject = yes (unneeded as it's the default behavior)
smtpd_helo_required = yes (you need this)

smtpd_recipient_restrictions =
permit_mynetworks
reject_unauth_destination
permit_sasl_authenticated
reject_unknown_reverse_client_hostname
reject_non_fqdn_sender
reject_non_fqdn_helo_hostname
reject_invalid_helo_hostname
reject_unknown_helo_hostname
reject_unlisted_recipient
check_client_access regexp:/etc/postfix/fqrdns.regexp
reject_rbl_client zen.spamhaus.org
reject_rhsbl_client dbl.spamhaus.org
reject_rhsbl_sender dbl.spamhaus.org
reject_rhsbl_helo dbl.spamhaus.org
check_policy_service inet:127.0.0.1:60000

This should be all you need for now. You will improve this configuration over
time.

It appears in your example that you're querying postgrey twice, once via UNIX
socket and once via inet. Pick one method, don't use both. I use the inet
method (last line in main.cf above). You will need to configure that one
method per the postgrey instructions.

The Postgrey daemon config file on Debian is at the following location. On
CentOS it may be located in a different directory. I don't use any Red Hat
products so I'm unsure. You'll have to find it.

cat /etc/default/postgrey
# postgrey startup options, created for Debian
# (c)2004 Adrian von Bidder <avbidder(a)fortytwo.ch>
# Distribute and/or modify at will.

# you may want to set
# --delay=N how long to greylist, seconds (default: 300)
# --max-age=N delete old entries after N days (default: 35)
# see also the postgrey(8) manpage

POSTGREY_OPTS="--inet=127.0.0.1:60000"

# the --greylist-text commandline argument can not be easily passed through
# POSTGREY_OPTS when it contains spaces. So, insert your text here:
#POSTGREY_TEXT="Your customized rejection message here"

If you run into problems, "man 8 postgrey"


SPF and DKIM checks are pretty much useless for killing spam. You will
already kill bot spam with other methods. Many snowshoe spammers are keen on
using SPF records and to a lesser extent DKIM sigs. There really aren't any
other large classes of spammers than bot and snowshoe, so again, trying to
kill spam with SPF and DKIM checks is mostly an exercise in futility, and it
adds unneeded complexity to your configuration. This has been discussed ad
naseam on many spam fighting lists over the years.

Regarding helo checks, it seems you're merely wanting to save effort expended
on a previous mail server platform on which they worked well. Wrong logic.
Helo checks won't kill much more spam than other checks, and the helo checks
above are typically sufficient without getting into table checks against them.
Don't worry about dragging the old helo stuff over to Postfix, as it will be
wasted effort for the most part. Maybe keep them around for a rainy day down
the road and convert them over _IF_ you find you _need_ them.

Again, think "streamline". Try to keep the configuration _simple_. The more
complicated you make main.cf now the harder to troubleshoot is becomes later.
Notice how short and simple my restriction list is? And don't think for a
minute I created that overnight. I've been using Postfix since 2005 and have
been refining it for 5 years. It became really streamlines after I took the
advice of members of this list. Noel, mouss, and many others have helped me
tremendously in streamlining my Postfix config, along with the excellent
documentation, which can at times be a bit intimidating to the novice.

This magic regexp table will kill a lot of bot and other spam coming from
various ISPs' mostly dynamic space and will do it quicker than a dnsbl lookup.
Another advantage is that it cuts down on your lookup queries, so if you're
on that 300k Spamhaus borderline limit between paid and free service, this
should drop those queries to the point you could likely use the free service.
Even if you're not borderline, it's always better to kill spam with local
filters before querying any outside service, dnsbl or otherwise.

Download this http://www.hardwarefreak.com/fqrdns.regexp and save it in
/etc/postfix/fqrdns.regexp as root. Make sure the permissions are the same as
your other lookup tables.


Hope this gives you a good start with Postfix spam fighting. Please continue
to ask questions if you need more pointers. Also, make use of the extensive
documentation and how to's on the Postfix website:

http://www.postfix.org/documentation.html
http://www.postfix.org/docs.html

--
Stan

From: Charles Marcus on
On 2010-06-23 12:34 AM, Stan Hoeppner wrote:
> smtpd_recipient_restrictions =
> permit_mynetworks
> reject_unauth_destination
> permit_sasl_authenticated

Under most circumstances, reject_unauth_destination should go *after*
permit_sasl_authenticated, or your sasl authenticated users will not be
able to relay. So...

> smtpd_recipient_restrictions =
> permit_mynetworks
> permit_sasl_authenticated
> reject_unauth_destination
> etc

--

Best regards,

Charles

From: "Steffan A. Cline" on
Stan,

Thanks for the quick reply. All I can say is WOW.

I did poke around on this CentOS install and am not seeing a config file
like you have but perhaps this is it:

[root(a)hosting1 ~]# find / -name postgrey
/usr/sbin/postgrey
/etc/rc.d/init.d/postgrey
/var/spool/postfix/postgrey

________________________________________________________
[root(a)hosting1 ~]# cat /etc/rc.d/init.d/postgrey
#!/bin/sh
#
# chkconfig: - 79 31
# description: Postfix Greylisting Policy Server
#
# processname: postgrey
#

# Source function library.
.. /etc/rc.d/init.d/functions

# Source networking configuration.
.. /etc/sysconfig/network

# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0

prog=postgrey
postgrey=/usr/sbin/$prog
DBPATH=/var/spool/postfix/postgrey
SOCKET=$DBPATH/socket
OPTIONS="--unix=$SOCKET"

# Source an auxiliary options file if we have one, and pick up OPTIONS,
if [ -r /etc/sysconfig/$prog ]; then
. /etc/sysconfig/$prog
fi

[ -x $postgrey -a -d $DBPATH ] || exit 0

RETVAL=0

start() {
echo -n $"Starting $prog: "
daemon $postgrey -d $OPTIONS
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/$prog
}
stop() {
echo -n $"Stopping $prog: "
killproc $postgrey
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/$prog
}

restart() {
stop
start
}

reload() {
echo -n $"Reloading $prog: "
killproc $postgrey -HUP
RETVAL=$?
echo
}

# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
restart
;;
reload)
reload
;;
condrestart)
[ -f /var/lock/subsys/$prog ] && restart
;;
status)
status $postgrey
;;
*)
echo $"Usage: $0 {start|stop|restart|condrestart|reload|status}"
exit 1
esac

exit $RETVAL


________________________________________________________

I am assuming from your conf file you have:
> POSTGREY_OPTS="--inet=127.0.0.1:60000"
From the options I see, I could put that into the startup file above by
changing:
OPTIONS="--unix=$SOCKET"
To
OPTIONS="--inet=127.0.0.1:60000"

My question now lies in do I need to add any any additional config to
master.cf file to take advantage of this service?




Thanks

Steffan

---------------------------------------------------------------
T E L 6 0 2 . 7 9 3 . 0 0 1 4 | F A X 6 0 2 . 9 7 1 . 1 6 9 4
Steffan A. Cline
Steffan(a)ExecuChoice.net Phoenix, Az
http://www.ExecuChoice.net USA
AIM : SteffanC ICQ : 57234309
YAHOO : Steffan_Cline MSN : steffan(a)hldns.com
GOOGLE: Steffan.Cline Lasso Partner Alliance Member
---------------------------------------------------------------



> From: Stan Hoeppner <stan(a)hardwarefreak.com>
> Date: Tue, 22 Jun 2010 23:34:09 -0500
> To: <postfix-users(a)postfix.org>
> Subject: Re: Spam filtering
>
> Steffan A. Cline put forth on 6/22/2010 8:01 PM:
>
>> It's a long post. Sorry.
>
> Yeah, it was long, and probably overly ambitious for a single thread topic.
> Instead of addressing your questions about individual main.cf parameter
> settings and policy services, I'm going to make a few suggestions which should
> give you a good start on rejecting most spam.
>
> 1. Keep your configuration as streamlined and simple as possible
> 2. Put all your restrictions under smtpd_recipient_restrictions
> 3. Use the regexp table I'm providing at the link far below
> 4. Use dnsbl queries selectively (why they're at the bottom)
> 5. Use only selective greylisting with postgrey (why it's last)
>
> Here's a sample smtpd_recipient_restrictions section you could start with,
> good with IIRC Postfix 2.3 and later. But first:
>
> smtpd_delay_reject = yes (unneeded as it's the default behavior)
> smtpd_helo_required = yes (you need this)
>
> smtpd_recipient_restrictions =
> permit_mynetworks
> reject_unauth_destination
> permit_sasl_authenticated
> reject_unknown_reverse_client_hostname
> reject_non_fqdn_sender
> reject_non_fqdn_helo_hostname
> reject_invalid_helo_hostname
> reject_unknown_helo_hostname
> reject_unlisted_recipient
> check_client_access regexp:/etc/postfix/fqrdns.regexp
> reject_rbl_client zen.spamhaus.org
> reject_rhsbl_client dbl.spamhaus.org
> reject_rhsbl_sender dbl.spamhaus.org
> reject_rhsbl_helo dbl.spamhaus.org
> check_policy_service inet:127.0.0.1:60000
>
> This should be all you need for now. You will improve this configuration over
> time.
>
> It appears in your example that you're querying postgrey twice, once via UNIX
> socket and once via inet. Pick one method, don't use both. I use the inet
> method (last line in main.cf above). You will need to configure that one
> method per the postgrey instructions.
>
> The Postgrey daemon config file on Debian is at the following location. On
> CentOS it may be located in a different directory. I don't use any Red Hat
> products so I'm unsure. You'll have to find it.
>
> cat /etc/default/postgrey
> # postgrey startup options, created for Debian
> # (c)2004 Adrian von Bidder <avbidder(a)fortytwo.ch>
> # Distribute and/or modify at will.
>
> # you may want to set
> # --delay=N how long to greylist, seconds (default: 300)
> # --max-age=N delete old entries after N days (default: 35)
> # see also the postgrey(8) manpage
>
> POSTGREY_OPTS="--inet=127.0.0.1:60000"
>
> # the --greylist-text commandline argument can not be easily passed through
> # POSTGREY_OPTS when it contains spaces. So, insert your text here:
> #POSTGREY_TEXT="Your customized rejection message here"
>
> If you run into problems, "man 8 postgrey"
>
>
> SPF and DKIM checks are pretty much useless for killing spam. You will
> already kill bot spam with other methods. Many snowshoe spammers are keen on
> using SPF records and to a lesser extent DKIM sigs. There really aren't any
> other large classes of spammers than bot and snowshoe, so again, trying to
> kill spam with SPF and DKIM checks is mostly an exercise in futility, and it
> adds unneeded complexity to your configuration. This has been discussed ad
> naseam on many spam fighting lists over the years.
>
> Regarding helo checks, it seems you're merely wanting to save effort expended
> on a previous mail server platform on which they worked well. Wrong logic.
> Helo checks won't kill much more spam than other checks, and the helo checks
> above are typically sufficient without getting into table checks against them.
> Don't worry about dragging the old helo stuff over to Postfix, as it will be
> wasted effort for the most part. Maybe keep them around for a rainy day down
> the road and convert them over _IF_ you find you _need_ them.
>
> Again, think "streamline". Try to keep the configuration _simple_. The more
> complicated you make main.cf now the harder to troubleshoot is becomes later.
> Notice how short and simple my restriction list is? And don't think for a
> minute I created that overnight. I've been using Postfix since 2005 and have
> been refining it for 5 years. It became really streamlines after I took the
> advice of members of this list. Noel, mouss, and many others have helped me
> tremendously in streamlining my Postfix config, along with the excellent
> documentation, which can at times be a bit intimidating to the novice.
>
> This magic regexp table will kill a lot of bot and other spam coming from
> various ISPs' mostly dynamic space and will do it quicker than a dnsbl lookup.
> Another advantage is that it cuts down on your lookup queries, so if you're
> on that 300k Spamhaus borderline limit between paid and free service, this
> should drop those queries to the point you could likely use the free service.
> Even if you're not borderline, it's always better to kill spam with local
> filters before querying any outside service, dnsbl or otherwise.
>
> Download this http://www.hardwarefreak.com/fqrdns.regexp and save it in
> /etc/postfix/fqrdns.regexp as root. Make sure the permissions are the same as
> your other lookup tables.
>
>
> Hope this gives you a good start with Postfix spam fighting. Please continue
> to ask questions if you need more pointers. Also, make use of the extensive
> documentation and how to's on the Postfix website:
>
> http://www.postfix.org/documentation.html
> http://www.postfix.org/docs.html
>
> --
> Stan
>

From: "Steffan A. Cline" on
Stan,

Ok.. I did find where CentOS would store the config file. It appears that it
puts it in /etc/sysconfig/postgrey

I should have read the init script a little closer. So, I copied yours and
pasted it into that file and should be ready there but my question still
stands about whether or not a config has to be added to the master.cf file
for this purpose.


Thanks

Steffan

---------------------------------------------------------------
T E L 6 0 2 . 7 9 3 . 0 0 1 4 | F A X 6 0 2 . 9 7 1 . 1 6 9 4
Steffan A. Cline
Steffan(a)ExecuChoice.net Phoenix, Az
http://www.ExecuChoice.net USA
AIM : SteffanC ICQ : 57234309
YAHOO : Steffan_Cline MSN : steffan(a)hldns.com
GOOGLE: Steffan.Cline Lasso Partner Alliance Member
---------------------------------------------------------------



> From: Steffan Cline <steffan(a)hldns.com>
> Date: Wed, 23 Jun 2010 06:39:04 -0700
> To: <postfix-users(a)postfix.org>
> Subject: Re: Spam filtering
>
> Stan,
>
> Thanks for the quick reply. All I can say is WOW.
>
> I did poke around on this CentOS install and am not seeing a config file
> like you have but perhaps this is it:
>
> [root(a)hosting1 ~]# find / -name postgrey
> /usr/sbin/postgrey
> /etc/rc.d/init.d/postgrey
> /var/spool/postfix/postgrey
>
> ________________________________________________________
> [root(a)hosting1 ~]# cat /etc/rc.d/init.d/postgrey
> #!/bin/sh
> #
> # chkconfig: - 79 31
> # description: Postfix Greylisting Policy Server
> #
> # processname: postgrey
> #
>
> # Source function library.
> . /etc/rc.d/init.d/functions
>
> # Source networking configuration.
> . /etc/sysconfig/network
>
> # Check that networking is up.
> [ ${NETWORKING} = "no" ] && exit 0
>
> prog=postgrey
> postgrey=/usr/sbin/$prog
> DBPATH=/var/spool/postfix/postgrey
> SOCKET=$DBPATH/socket
> OPTIONS="--unix=$SOCKET"
>
> # Source an auxiliary options file if we have one, and pick up OPTIONS,
> if [ -r /etc/sysconfig/$prog ]; then
> . /etc/sysconfig/$prog
> fi
>
> [ -x $postgrey -a -d $DBPATH ] || exit 0
>
> RETVAL=0
>
> start() {
> echo -n $"Starting $prog: "
> daemon $postgrey -d $OPTIONS
> RETVAL=$?
> echo
> [ $RETVAL -eq 0 ] && touch /var/lock/subsys/$prog
> }
> stop() {
> echo -n $"Stopping $prog: "
> killproc $postgrey
> RETVAL=$?
> echo
> [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/$prog
> }
>
> restart() {
> stop
> start
> }
>
> reload() {
> echo -n $"Reloading $prog: "
> killproc $postgrey -HUP
> RETVAL=$?
> echo
> }
>
> # See how we were called.
> case "$1" in
> start)
> start
> ;;
> stop)
> stop
> ;;
> restart)
> restart
> ;;
> reload)
> reload
> ;;
> condrestart)
> [ -f /var/lock/subsys/$prog ] && restart
> ;;
> status)
> status $postgrey
> ;;
> *)
> echo $"Usage: $0 {start|stop|restart|condrestart|reload|status}"
> exit 1
> esac
>
> exit $RETVAL
>
>
> ________________________________________________________
>
> I am assuming from your conf file you have:
>> POSTGREY_OPTS="--inet=127.0.0.1:60000"
> From the options I see, I could put that into the startup file above by
> changing:
> OPTIONS="--unix=$SOCKET"
> To
> OPTIONS="--inet=127.0.0.1:60000"
>
> My question now lies in do I need to add any any additional config to
> master.cf file to take advantage of this service?
>
>
>
>
> Thanks
>
> Steffan
>
> ---------------------------------------------------------------
> T E L 6 0 2 . 7 9 3 . 0 0 1 4 | F A X 6 0 2 . 9 7 1 . 1 6 9 4
> Steffan A. Cline
> Steffan(a)ExecuChoice.net Phoenix, Az
> http://www.ExecuChoice.net USA
> AIM : SteffanC ICQ : 57234309
> YAHOO : Steffan_Cline MSN : steffan(a)hldns.com
> GOOGLE: Steffan.Cline Lasso Partner Alliance Member
> ---------------------------------------------------------------
>
>
>
>> From: Stan Hoeppner <stan(a)hardwarefreak.com>
>> Date: Tue, 22 Jun 2010 23:34:09 -0500
>> To: <postfix-users(a)postfix.org>
>> Subject: Re: Spam filtering
>>
>> Steffan A. Cline put forth on 6/22/2010 8:01 PM:
>>
>>> It's a long post. Sorry.
>>
>> Yeah, it was long, and probably overly ambitious for a single thread topic.
>> Instead of addressing your questions about individual main.cf parameter
>> settings and policy services, I'm going to make a few suggestions which
>> should
>> give you a good start on rejecting most spam.
>>
>> 1. Keep your configuration as streamlined and simple as possible
>> 2. Put all your restrictions under smtpd_recipient_restrictions
>> 3. Use the regexp table I'm providing at the link far below
>> 4. Use dnsbl queries selectively (why they're at the bottom)
>> 5. Use only selective greylisting with postgrey (why it's last)
>>
>> Here's a sample smtpd_recipient_restrictions section you could start with,
>> good with IIRC Postfix 2.3 and later. But first:
>>
>> smtpd_delay_reject = yes (unneeded as it's the default behavior)
>> smtpd_helo_required = yes (you need this)
>>
>> smtpd_recipient_restrictions =
>> permit_mynetworks
>> reject_unauth_destination
>> permit_sasl_authenticated
>> reject_unknown_reverse_client_hostname
>> reject_non_fqdn_sender
>> reject_non_fqdn_helo_hostname
>> reject_invalid_helo_hostname
>> reject_unknown_helo_hostname
>> reject_unlisted_recipient
>> check_client_access regexp:/etc/postfix/fqrdns.regexp
>> reject_rbl_client zen.spamhaus.org
>> reject_rhsbl_client dbl.spamhaus.org
>> reject_rhsbl_sender dbl.spamhaus.org
>> reject_rhsbl_helo dbl.spamhaus.org
>> check_policy_service inet:127.0.0.1:60000
>>
>> This should be all you need for now. You will improve this configuration
>> over
>> time.
>>
>> It appears in your example that you're querying postgrey twice, once via UNIX
>> socket and once via inet. Pick one method, don't use both. I use the inet
>> method (last line in main.cf above). You will need to configure that one
>> method per the postgrey instructions.
>>
>> The Postgrey daemon config file on Debian is at the following location. On
>> CentOS it may be located in a different directory. I don't use any Red Hat
>> products so I'm unsure. You'll have to find it.
>>
>> cat /etc/default/postgrey
>> # postgrey startup options, created for Debian
>> # (c)2004 Adrian von Bidder <avbidder(a)fortytwo.ch>
>> # Distribute and/or modify at will.
>>
>> # you may want to set
>> # --delay=N how long to greylist, seconds (default: 300)
>> # --max-age=N delete old entries after N days (default: 35)
>> # see also the postgrey(8) manpage
>>
>> POSTGREY_OPTS="--inet=127.0.0.1:60000"
>>
>> # the --greylist-text commandline argument can not be easily passed through
>> # POSTGREY_OPTS when it contains spaces. So, insert your text here:
>> #POSTGREY_TEXT="Your customized rejection message here"
>>
>> If you run into problems, "man 8 postgrey"
>>
>>
>> SPF and DKIM checks are pretty much useless for killing spam. You will
>> already kill bot spam with other methods. Many snowshoe spammers are keen on
>> using SPF records and to a lesser extent DKIM sigs. There really aren't any
>> other large classes of spammers than bot and snowshoe, so again, trying to
>> kill spam with SPF and DKIM checks is mostly an exercise in futility, and it
>> adds unneeded complexity to your configuration. This has been discussed ad
>> naseam on many spam fighting lists over the years.
>>
>> Regarding helo checks, it seems you're merely wanting to save effort expended
>> on a previous mail server platform on which they worked well. Wrong logic.
>> Helo checks won't kill much more spam than other checks, and the helo checks
>> above are typically sufficient without getting into table checks against
>> them.
>> Don't worry about dragging the old helo stuff over to Postfix, as it will be
>> wasted effort for the most part. Maybe keep them around for a rainy day down
>> the road and convert them over _IF_ you find you _need_ them.
>>
>> Again, think "streamline". Try to keep the configuration _simple_. The more
>> complicated you make main.cf now the harder to troubleshoot is becomes later.
>> Notice how short and simple my restriction list is? And don't think for a
>> minute I created that overnight. I've been using Postfix since 2005 and have
>> been refining it for 5 years. It became really streamlines after I took the
>> advice of members of this list. Noel, mouss, and many others have helped me
>> tremendously in streamlining my Postfix config, along with the excellent
>> documentation, which can at times be a bit intimidating to the novice.
>>
>> This magic regexp table will kill a lot of bot and other spam coming from
>> various ISPs' mostly dynamic space and will do it quicker than a dnsbl
>> lookup.
>> Another advantage is that it cuts down on your lookup queries, so if you're
>> on that 300k Spamhaus borderline limit between paid and free service, this
>> should drop those queries to the point you could likely use the free service.
>> Even if you're not borderline, it's always better to kill spam with local
>> filters before querying any outside service, dnsbl or otherwise.
>>
>> Download this http://www.hardwarefreak.com/fqrdns.regexp and save it in
>> /etc/postfix/fqrdns.regexp as root. Make sure the permissions are the same
>> as
>> your other lookup tables.
>>
>>
>> Hope this gives you a good start with Postfix spam fighting. Please continue
>> to ask questions if you need more pointers. Also, make use of the extensive
>> documentation and how to's on the Postfix website:
>>
>> http://www.postfix.org/documentation.html
>> http://www.postfix.org/docs.html
>>
>> --
>> Stan
>>
>
>