为 Postfix "smtpd_recipient_restrictions" 设置的最佳参数

Question

我们从另一个 ISP 继承了 DNS，现在我们的邮件服务器每分钟被大约 1000 封电子邮件轰炸，其中 99.99% 的电子邮件只是垃圾邮件。我们正在尝试优化过滤/拒绝垃圾邮件，但运气不佳。

您认为最佳设置是smtpd_recipient_restrictions什么？

系统配置：Ubuntu + Amavis + Postfix + MySQL + Fail2Ban-Postfix

欢迎任何建议！

UDPATE, 2012-08-08

在更改 posftix 配置如下并配置 Potrgey 服务后，垃圾邮件水平下降了 10 倍

smtpd_recipient_restrictions = 
permit_mynetworks, 
permit_sasl_authenticated, 
reject_non_fqdn_hostname, 
reject_invalid_hostname, 
reject_non_fqdn_sender, 
reject_unknown_sender_domain, 
reject_non_fqdn_recipient, 
reject_unknown_recipient_domain, 
check_policy_service inet:127.0.0.1:10023, 
reject_rbl_client zen.spamhaus.org, 
check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf,
reject_unauth_pipelining, 
reject_unauth_destination

Answer 1

你的规则很糟糕。如果您想保留所有这些而不添加任何其他内容，则顺序必须是：

smtpd_recipient_restrictions = 
permit_mynetworks, 
permit_sasl_authenticated, 
reject_unauth_pipelining, 
reject_invalid_hostname, 
reject_non_fqdn_sender, 
reject_unknown_sender_domain, 
reject_unauth_destination, 
reject_unknown_recipient_domain, 
reject_rbl_client zen.spamhaus.org,
check_recipient_access proxy:mysql:/etc/postfix/mysql-virtual_recipient.cf, 
reject_non_fqdn_recipient

如果仍然是不够的，然后阅读postscreen在http://www.postfix.org/POSTSCREEN_README.html。

Answer 2

我建议使用类似于以下内容的 smtpd_recipient_restriction：

smtpd_recipient_restricdtions = 
# Whitelisting or blacklisting:
check_recipient_access proxy:mysql:/etc/postfix/mysql-virtual_recipient.cf,
# Everyone should play after rules:
reject_non_fqdn_recipient,
reject_non_fqdn_sender,
reject_unknown_recipient_domain,
reject_unknown_sender_domain,
reject_unauth_pipelining,
# Mails from your users:
permit_mynetworks,
permit_sasl_authenticated,
# This will block mails from domains with no reverse DNS record. Will affect both spam and ham mails, but mostly spam. 
reject_unknown_reverse_client_hostname,
# Instead of reject_unknown_reverse_client_hostname you can also use reject_unknown_client_hostname, which is an even harder rule. 
# Reject ugly HELO/EHLO-hostnames (could also affect regular mails):
reject_non_fqdn_hostname,
reject_invalid_helo_hostname,
# Reject everything you're not responsible for:
reject_unauth_destination,
# Only take mails for existing accounts:
reject_unverified_recipient,
# DNS lookups are "expensive", therefore should be at bottom
reject_rbl_client zen.spamhaus.org

关于 smtpd_recipient_restrictions 的详细信息可以在这里找到：http : //www.postfix.org/postconf.5.html#smtpd_recipient_restrictions

也许您还想使用postgrey、postscreen、postfwd或其他一些策略守护程序。

还要检查您是否在排队前模式下使用 amavisd-new。