AW: Recommended pre-queue setup for Postfix

Klaffehn, Peter peter.klaffehn at
Fri Nov 11 13:55:46 CET 2011


we use postfix and amavis for incoming and outgoing mail and we reject spam and viruses during the smtp session. We use greylisting and we have a perl script which pulls all e-mail addresses from our active directory and puts them in relay_recipients. This is our setup:

smtp       inet  n       -       n       -       40     smtpd
        -o smtpd_proxy_filter=
        -o smtpd_client_connection_count_limit=20
        -o smtpd_proxy_timeout=300s
        -o smtpd_proxy_options=speed_adjust inet n   -       n       -       -      smtpd
        -o smtpd_authorized_xforward_hosts=
        -o smtpd_client_restrictions=
        -o smtpd_helo_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o smtpd_data_restrictions=
        -o mynetworks=
        -o receive_override_options=no_unknown_recipient_checks

alias_maps = hash:/etc/aliases
mydomain = xxx
myorigin = xxx
myhostname = xxx
mynetworks = xxx
message_size_limit = 52428800
local_transport = error:no local mail delivery
mydestination =
local_recipient_maps =
virtual_alias_maps = hash:/etc/postfix/virtual
transport_maps = hash:/etc/postfix/transport
relay_domains = hash:/etc/postfix/relay_domains
relay_recipient_maps = hash:/etc/postfix/relay_recipients
unknown_client_reject_code = 550
smtpd_client_restrictions = permit_mynetworks, check_client_access hash:/etc/postfix/blackwhite, reject_unknown_client_hostname
smtpd_helo_required = yes
smtpd_sender_restrictions = permit_mynetworks, check_sender_access hash:/etc/postfix/blackwhite, reject_non_fqdn_sender, reject_unknown_sender_domain
smtpd_recipient_restrictions = permit_mynetworks, check_recipient_access hash:/etc/postfix/blackwhite, reject_non_fqdn_recipient, reject_unauth_destination, reject_unlisted_recipient, check_recipient_access hash:/etc/postfix/greylist_sender_exceptions, check_client_access cidr:/etc/postfix/cidr_greylist_network_exceptions, check_client_access pcre:/etc/postfix/check_client_fqdn, reject_unknown_recipient_domain
smtpd_data_restrictions = reject_unauth_pipelining
strict_rfc821_envelopes = yes
recipient_delimiter =
smtpd_restriction_classes = check_greylist
check_greylist = check_policy_service inet:
delay_warning_time = 8

/etc/amavis/conf.d/50-user (other files in this directory are untouched):

use strict;

# Place your configuration directives here.  They will override those in
# earlier files.
# See /usr/share/doc/amavisd-new/ for documentation and examples of
# the directives you can use in this file

# Virenerkennung aktivieren (activate virus checking)
@bypass_virus_checks_maps = (
   \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);

# Spamerkennung aktivieren (active spam checking)
@bypass_spam_checks_maps = (
   \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);

# Kein Blockieren von Dateien
$banned_filename_re = undef;

# Vorgehensweise bei Spamverdacht
$sa_spam_subject_tag = '[SPAM-Verdacht]  ';
$sa_tag_level_deflt  = -999;      # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 5.0;       # add 'spam detected' headers at that level
$sa_kill_level_deflt = 6.0;       # triggers spam evasive actions
$sa_dsn_cutoff_level = 6.0;       # spam level beyond which a DSN is not sent
$sa_quarantine_cutoff_level = 6;  # spam level beyond which quarantine is off

# Aktionen bei Spam- bzw. Virenfund
$final_virus_destiny      = D_REJECT;
$final_banned_destiny     = D_REJECT;
$final_spam_destiny       = D_REJECT;
$final_bad_header_destiny = D_PASS;

# Keine Kopie von E-Mail mit kaputtem Header bzw. Virus in die Quarantäne
$bad_header_quarantine_to = undef;
$virus_quarantine_to = undef;

# Black- und Whitelisting
@score_sender_maps = ({
   '.' => [

# Protokollierung
$log_level = 1;               # verbosity 0..5
$sa_debug = 1;

# Angabe der lokalen Domänen damit der X-SPAM-Header eingefügt wird
#@local_domains_maps = (".");
@local_domains_maps = (read_hash("/etc/postfix/relay_domains"));

# Prozessanzahl wie bei Postfix
$max_servers = 40;            # number of pre-forked children (2..15 is common)

#------------ Do not modify anything below this line -------------
1;  # ensure a defined return

This should give you an idea how to configure it.


-----Ursprüngliche Nachricht-----
Von: at [ at] Im Auftrag von Marc Patermann
Gesendet: Freitag, 11. November 2011 13:38
An: Cristian Seres
Cc: amavis-users at
Betreff: Re: Recommended pre-queue setup for Postfix


Cristian Seres schrieb (08.11.2011 21:21 Uhr):

> I would like to get an opinion which is the best configuration for 
> incoming only Postfix mail gateway that should
>  - Reject virus, banned destiny and clear spam messages during SMTP 
> session. It is important for us not to send backscatter to forged 
> sender addresses. This implies using pre-queue setup for Amavis, right?
>  - Work in co-operation with opendkim-milter i.e. not break DKIM 
> signature - or configure amavisd-new to check DKIM with option to 
> discard email if sender domain's DKIM ADSP policy suggests to do so.
> Is the best practice in this case to use smtpd_proxy_filter setting in 
> Postfix's and what are recommended settings to and 
> amavisd.conf to go with it? Or is there some better way to do it nowadays?
> Amavisd-2.7.0, Postfix 2.6.6. About performance requirements: less 
> than 15k incoming email per month which will be divided to two or 
> three MX servers.
> I am looking forward to your suggestions.
I use amavisd-milter here.


More information about the amavis-users mailing list