Hi,
I propose to set up a basic antispam / antivirus check on the mailing list
server. The administration of mailing lists became a burden due to spams and
virus.
I propose several steps:
* first blocking mails from invalid domains and virus. This take very little
server resource, but should remove a big part of unwanted trafic.
* if this is not enough, then setting a specific antispam with Spamassassin
for blocking most unwanted mails. This will also require more server
resources.
Here below are the rules I propose to implement for the first step. These are
the rules I use myself for the last 2 years.
========================
/etc/postfix/main.cf:
smtpd_helo_required = yes
disable_vrfy_command = yes
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
# Default: not needed
smtpd_recipient_restrictions =
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unauth_pipelining,
permit_mynetworks,
reject_unauth_destination,
reject_rbl_client
relays.ordb.org,
reject_rbl_client
opm.blitzed.org,
reject_rbl_client
list.dsbl.org,
reject_rbl_client
sbl.spamhaus.org,
reject_rbl_client
cbl.abuseat.org,
reject_rbl_client
dul.dnsbl.sorbs.net,
reject_rbl_client blackholes.easynet.nl,
reject_rbl_client
proxies.blackholes.wirehub.net,
reject_rbl_client
bl.spamcop.net,
reject_rbl_client
dnsbl.njabl.org,
permit
smtpd_client_restrictions =
permit_mynetworks,
reject_unknown_client,
reject_unknown_sender_domain,
reject_non_fqdn_sender,
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_unauth_pipelining,
reject_unauth_destination,
reject_rbl_client
relays.ordb.org,
reject_rbl_client
opm.blitzed.org,
reject_rbl_client
list.dsbl.org,
reject_rbl_client
sbl.spamhaus.org,
reject_rbl_client
cbl.abuseat.org,
reject_rbl_client
dul.dnsbl.sorbs.net,
reject_rbl_client blackholes.easynet.nl,
reject_rbl_client
proxies.blackholes.wirehub.net,
reject_rbl_client
bl.spamcop.net,
reject_rbl_client
dnsbl.njabl.org,
permit
smtpd_helo_restrictions =
permit_mynetworks,
reject_invalid_hostname,
reject_unknown_hostname,
reject_non_fqdn_hostname
smtpd_sender_restrictions =
reject_unknown_sender_domain,
reject_non_fqdn_sender,
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_unauth_pipelining,
permit_mynetworks,
reject_unauth_destination,
reject_rbl_client
relays.ordb.org,
reject_rbl_client
opm.blitzed.org,
reject_rbl_client
list.dsbl.org,
reject_rbl_client
sbl.spamhaus.org,
reject_rbl_client
cbl.abuseat.org,
reject_rbl_client
dul.dnsbl.sorbs.net,
reject_rbl_client blackholes.easynet.nl,
reject_rbl_client
proxies.blackholes.wirehub.net,
reject_rbl_client
bl.spamcop.net,
reject_rbl_client
dnsbl.njabl.org,
permit
header_checks = regexp:/etc/postfix/header_checks
mime_header_checks = regexp:/etc/postfix/mime_header_checks
==========
/etc/postfix/mime_header_checks:
/.*name=".*\.(exe|pif|zip|scr|com|dat|vbs)"/ REJECT
==========
/etc/postfix/header_checks: (new rules could be added as needed)
/Subject:.*Hydrocodone.*/ REJECT
/Subject:.*Valium.*/ REJECT
/Subject:.*Vicodin.*/ REJECT
/Subject:.*Pharmacy.*/ REJECT
/Subject:.*Xanax.*/ REJECT
/Subject:.*Rolex.*/ REJECT
/Subject:.*VIAGRA.*/ REJECT
/Subject:.*Network Critical Update.*/ REJECT
Regards,
Yann
--
http://www.non-violence.org/ | Site collaboratif sur la non-violence
http://www.forget-me.net/ | Alternatives sur le Net
http://fr.wikipedia.org/ | Encyclopédie libre
http://www.forget-me.net/pro/ | Formations et services Linux