AW: Recommended pre-queue setup for Postfix
Klaffehn, Peter
peter.klaffehn at westermann.de
Fri Nov 11 13:55:46 CET 2011
Hi,
we use postfix and amavis for incoming and outgoing mail and we reject spam and viruses during the smtp session. We use greylisting and we have a perl script which pulls all e-mail addresses from our active directory and puts them in relay_recipients. This is our setup:
master.cf:
smtp inet n - n - 40 smtpd
-o smtpd_proxy_filter=127.0.0.1:10024
-o smtpd_client_connection_count_limit=20
-o smtpd_proxy_timeout=300s
-o smtpd_proxy_options=speed_adjust
127.0.0.1:10025 inet n - n - - smtpd
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=
-o mynetworks=127.0.0.0/8
-o receive_override_options=no_unknown_recipient_checks
main.cf:
alias_maps = hash:/etc/aliases
mydomain = xxx
myorigin = xxx
myhostname = xxx
mynetworks = xxx
message_size_limit = 52428800
local_transport = error:no local mail delivery
mydestination =
local_recipient_maps =
virtual_alias_maps = hash:/etc/postfix/virtual
transport_maps = hash:/etc/postfix/transport
relay_domains = hash:/etc/postfix/relay_domains
relay_recipient_maps = hash:/etc/postfix/relay_recipients
unknown_client_reject_code = 550
smtpd_client_restrictions = permit_mynetworks, check_client_access hash:/etc/postfix/blackwhite, reject_unknown_client_hostname
smtpd_helo_required = yes
smtpd_sender_restrictions = permit_mynetworks, check_sender_access hash:/etc/postfix/blackwhite, reject_non_fqdn_sender, reject_unknown_sender_domain
smtpd_recipient_restrictions = permit_mynetworks, check_recipient_access hash:/etc/postfix/blackwhite, reject_non_fqdn_recipient, reject_unauth_destination, reject_unlisted_recipient, check_recipient_access hash:/etc/postfix/greylist_sender_exceptions, check_client_access cidr:/etc/postfix/cidr_greylist_network_exceptions, check_client_access pcre:/etc/postfix/check_client_fqdn, reject_unknown_recipient_domain
smtpd_data_restrictions = reject_unauth_pipelining
strict_rfc821_envelopes = yes
recipient_delimiter =
smtpd_restriction_classes = check_greylist
check_greylist = check_policy_service inet:127.0.0.1:60000
delay_warning_time = 8
/etc/amavis/conf.d/50-user (other files in this directory are untouched):
use strict;
#
# Place your configuration directives here. They will override those in
# earlier files.
#
# See /usr/share/doc/amavisd-new/ for documentation and examples of
# the directives you can use in this file
#
# Virenerkennung aktivieren (activate virus checking)
@bypass_virus_checks_maps = (
\%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
# Spamerkennung aktivieren (active spam checking)
@bypass_spam_checks_maps = (
\%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
# Kein Blockieren von Dateien
$banned_filename_re = undef;
# Vorgehensweise bei Spamverdacht
$sa_spam_subject_tag = '[SPAM-Verdacht] ';
$sa_tag_level_deflt = -999; # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 5.0; # add 'spam detected' headers at that level
$sa_kill_level_deflt = 6.0; # triggers spam evasive actions
$sa_dsn_cutoff_level = 6.0; # spam level beyond which a DSN is not sent
$sa_quarantine_cutoff_level = 6; # spam level beyond which quarantine is off
# Aktionen bei Spam- bzw. Virenfund
$final_virus_destiny = D_REJECT;
$final_banned_destiny = D_REJECT;
$final_spam_destiny = D_REJECT;
$final_bad_header_destiny = D_PASS;
# Keine Kopie von E-Mail mit kaputtem Header bzw. Virus in die Quarantäne
$bad_header_quarantine_to = undef;
$virus_quarantine_to = undef;
# Black- und Whitelisting
@score_sender_maps = ({
'.' => [
read_hash("/etc/amavis/sender_scores_sitewide")
]
});
# Protokollierung
$log_level = 1; # verbosity 0..5
$sa_debug = 1;
# Angabe der lokalen Domänen damit der X-SPAM-Header eingefügt wird
#@local_domains_maps = (".");
@local_domains_maps = (read_hash("/etc/postfix/relay_domains"));
# Prozessanzahl wie bei Postfix
$max_servers = 40; # number of pre-forked children (2..15 is common)
#------------ Do not modify anything below this line -------------
1; # ensure a defined return
This should give you an idea how to configure it.
Peter
-----Ursprüngliche Nachricht-----
Von: amavis-users-bounces+peter.klaffehn=westermann.de at amavis.org [mailto:amavis-users-bounces+peter.klaffehn=westermann.de at amavis.org] Im Auftrag von Marc Patermann
Gesendet: Freitag, 11. November 2011 13:38
An: Cristian Seres
Cc: amavis-users at amavis.org
Betreff: Re: Recommended pre-queue setup for Postfix
Cristian,
Cristian Seres schrieb (08.11.2011 21:21 Uhr):
> I would like to get an opinion which is the best configuration for
> incoming only Postfix mail gateway that should
> - Reject virus, banned destiny and clear spam messages during SMTP
> session. It is important for us not to send backscatter to forged
> sender addresses. This implies using pre-queue setup for Amavis, right?
> - Work in co-operation with opendkim-milter i.e. not break DKIM
> signature - or configure amavisd-new to check DKIM with option to
> discard email if sender domain's DKIM ADSP policy suggests to do so.
>
> Is the best practice in this case to use smtpd_proxy_filter setting in
> Postfix's main.cf and what are recommended settings to master.cf and
> amavisd.conf to go with it? Or is there some better way to do it nowadays?
>
> Amavisd-2.7.0, Postfix 2.6.6. About performance requirements: less
> than 15k incoming email per month which will be divided to two or
> three MX servers.
>
> I am looking forward to your suggestions.
I use amavisd-milter here.
http://amavisd-milter.sourceforge.net/
Marc
More information about the amavis-users
mailing list