Postfix Sluggish

[David-Paul Niner]

David-Paul Niner wrote:
> Ki Song wrote:
> 
> [snip]
> 
> 
>>>You don't. You firewall off the server that's doing the dictionary
>>>attack and then your mail server will never see the connections from it,
>>>hence no logging.
>>
>>
>>Isn't that just putting a "bandaid" on the problem ... I mean, isn't the
>>list of ip addresses that i firewall off eventually going to be too big to
>>manage?
>>
>>If the above isn't true, is there a central location that people can get a
>>hold of that has a list of "bad ip" addresses? Similar to Spamassassin's
>>list?
>>
>>
>>
>>>Paul.
>>>
>>>-- 
>>>fedora-list mailing list
>>>fedora-list at redhat.com
>>>To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
>>
>>
> 
> In my personal experience, dictionary attacks tend to be (relatively)
> short lived, as the script that generate the messages must have a fairly
> low time-out.
> 
> Odds are good that the MTA that's trying to connect to your machine is
> not a host with a proper MX record, and if it is, it's probably not
> configured correctly.   You could probably stop postfix from even
> accepting connections from it by implementing the recommendations
> described here:
> 
> http://www.postfix.org/uce.html
> 
> You could also dive into header_checks as well.
> 
> One positive aspect of implementingthese suggestions is that over time
> you should see less and less spam, as your domain gradually falls off
> the "known good" lists.
> 
> Best o' luck!
> 
> DP
> 

More to the point, you might want to try (at a minimum), these parameters:

smtpd_client_restrictions=permit_mynetworks,reject_unknown_client
smtpd_helo_restrictions=permit_mynetworks,reject_invalid_hostname,reject_unknown_hostname
smtpd_recipient_restrictions=permit_mynetworks,permit_auth_destination,reject_unauth_destination

There are more features available as well, most of which are described
in the above link.

DP

-- 
David-Paul Niner, RHCE
Orange Park, Florida, United States
GPG Key ID: 0x106B54E3