[Kolab-devel] Some postfix suggestion on Kolab (antispam, security, performance)
Fabio Pietrosanti
lists at infosecurity.ch
Tue Dec 4 11:34:59 CET 2007
Hi,
does anyone know if a documents on the wiki describing all the Antispam
strategy of kolab (from postfix smtpd restrictions t/header checking to
amavis/spamassassin/rbl/razor/dcc, etc) ?
I customized my kolab 2.1 installation for having more antispam feature
and while planning for an upgrade to 2.2 i would like to understand
which are the antispamming rules (still doesn't installed 2.2 beta).
I modified postfix of 2.1 beta as follow.
Maybe there's some checks and/or modifications could be added to kolab
standard distribution for security and performance reasons:
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, check_client_access
hash:/kolab/etc/postfix/access, reject_unauth_destination,
reject_unlisted_recipient, reject_unknown_recipient_domain,
reject_non_fqdn_recipient
smtpd_sender_restrictions = permit_mynetworks,
reject_unknown_sender_domain, reject_non_fqdn_sender,
check_sender_mx_access cidr:/kolab/etc/postfix/mx_access,
reject_rhsbl_sender zen.spamhaus.org, reject_rhsbl_sender
bogusmx.rfc-ignorant.org, reject_rhsbl_sender dsn.rfc-ignorant.org
smtpd_client_restrictions = permit_sasl_authenticated,
check_sender_access pcre:/kolab/etc/postfix/relay_dsl_stop,
reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net,
reject_rbl_client dnsbl.njabl.org, reject_rbl_client
dul.dnsbl.sorbs.net,reject_rbl_client list.dsbl.org
# Introduce helo checking (otherwise disabled by default)
smtpd_require_helo = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated,
reject_invalid_hostname, reject_unknown_hostname, reject_non_fqdn_hostname
# Reject unauth pipelining
smtpd_data_restrictions = reject_unauth_pipelining
# Perform strict checking on email address (we don't need non standard
email address)
strict_rfc821_envelopes = yes
# Try to always use tls while sending email to other servers (without
verifying digital certificates).
# The goal is "encrypt if you can" that's better than nothing.
smtp_use_tls = yes
smtp_tls_enforce_peername = no
# Why only encrypt authentication when all smtp communication could be
protected with TLS?
# Encrypt all the message flow with authenticated users sending emails.
smtpd_tls_auth_only = no
# Be aggressive in terms of rejection of unauthorized emails
unverified_sender_reject_code = 550
unverified_recipient_reject_code = 550
unknown_address_reject_code = 550
unknown_local_recipient_reject_code = 550
unknown_client_reject_code = 550
unknown_hostname_reject_code = 550
# PERFORMANCE TUNING to respect a real world timing
smtp_helo_timeout = 5s
smtp_mail_timeout = 15s
smtp_quit_timeout = 30s
smtp_rcpt_timeout = 20s
smtp_rset_timeout = 10s
smtp_starttls_timeout = 10s
smtpd_starttls_timeout = 5s
smtpd_timeout = 60s
Imho we could discuss on the various modifications that provide:
- better performance
- better antispam
- better security (encryption of communication channels inbound/outbound)
Maybe are not useful maybe yes
Regards,
Fabio
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kolab.org/pipermail/devel/attachments/20071204/02c9e9fc/attachment.html>
More information about the devel
mailing list