[Kolab-devel] Some postfix suggestion on Kolab (antispam, security, performance)

Fri Nov 30 14:47:12 CET 2007

Hi,

does anyone know if a documents on the wiki describing all the Antispam
strategy of kolab (from postfix smtpd restrictions t/header checking to
amavis/spamassassin/rbl/razor/dcc, etc) ?

I customized my kolab 2.1 installation for having more antispam feature
and while planning for an upgrade to 2.2 i would like to understand
which are the antispamming rules (still doesn't installed 2.2 beta).

I modified postfix of 2.1 beta as follow.

Maybe there's some checks and/or modifications could be added to kolab
standard distribution for security and performance reasons:

smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, check_client_access
hash:/kolab/etc/postfix/access, reject_unauth_destination,
reject_unlisted_recipient, reject_unknown_recipient_domain,
reject_non_fqdn_recipient

smtpd_sender_restrictions = permit_mynetworks,
reject_unknown_sender_domain, reject_non_fqdn_sender,
check_sender_mx_access cidr:/kolab/etc/postfix/mx_access,
reject_rhsbl_sender zen.spamhaus.org, reject_rhsbl_sender
bogusmx.rfc-ignorant.org, reject_rhsbl_sender dsn.rfc-ignorant.org

smtpd_client_restrictions = permit_sasl_authenticated,
check_sender_access pcre:/kolab/etc/postfix/relay_dsl_stop,
reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net,
reject_rbl_client dnsbl.njabl.org, reject_rbl_client
dul.dnsbl.sorbs.net,reject_rbl_client list.dsbl.org

# Introduce helo checking (otherwise disabled by default)
smtpd_require_helo = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, 
reject_invalid_hostname, reject_unknown_hostname, reject_non_fqdn_hostname

# Reject unauth pipelining
smtpd_data_restrictions = reject_unauth_pipelining

# Perform strict checking on email address (we don't need non standard
email address)
strict_rfc821_envelopes = yes

# Try to always use tls while sending email to other servers (without
verifying digital certificates).
# The goal is "encrypt if you can" that's better than nothing.
smtp_use_tls = yes
smtp_tls_enforce_peername = no

# Why only encrypt authentication when all smtp communication could be
protected with TLS?
# Encrypt all the message flow with authenticated users sending emails.
smtpd_tls_auth_only = no

# Be aggressive in terms of rejection of unauthorized emails
unverified_sender_reject_code = 550
unverified_recipient_reject_code = 550
unknown_address_reject_code = 550
unknown_local_recipient_reject_code = 550
unknown_client_reject_code = 550
unknown_hostname_reject_code = 550

# PERFORMANCE TUNING to respect a real world timing
smtp_helo_timeout = 5s
smtp_mail_timeout = 15s
smtp_quit_timeout = 30s
smtp_rcpt_timeout = 20s
smtp_rset_timeout = 10s
smtp_starttls_timeout = 10s
smtpd_starttls_timeout = 5s
smtpd_timeout = 60s

Imho we could discuss on the various modifications that provide:

- better performance
- better antispam
- better security (encryption of communication channels inbound/outbound)

Regards,

Fabio

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kolab.org/pipermail/devel/attachments/20071130/af6452b9/attachment.html>