Postfix advance lavel

see also article: Postfix, Postifx as MX server

Getting rid off spam/virus mails

Different Postfix Access Policy Delegation

How to use different Access Policy Delegation with postfix. This it opens the possibility to use diffrent check_policy_service in dependency on sender address, client ip … and so on.

Create aliases for groups of access restrictions in /etc/postfix/main.cf:

  smtpd_restriction_classes = policy1,
                              policy2,
  policy1 = check_policy_service inet:127.0.0.1:12525
  policy2 = check_policy_service inet:127.0.0.1:12526

Create “/etc/postfix/ip_rules.cidr”:

 # echo “127.0.0.1 policy1″ > /etc/postfix/ip_rules.cidr
 # echo “127.0.0.2 policy1″ >> /etc/postfix/ip_rules.cidr
 # echo “0.0.0.0/0 policy2″ >> /etc/postfix/ip_rules.cidr

Add “check_client_access cidr:/etc/postfix/ip_rules.cidr” at the end of “smtpd_recipient_restrictions” in /etc/postfix/main.cf

In this scenario you can have different access policies based on the client ip. It is also possible to base it on client reverse dns with help of pcre maps and recipient/sender address and hash maps

Address verification

address_verify_positive_expire_time (31d) - The time after which a successful probe expires from the address verification cache.
address_verify_positive_refresh_time (7d) - The time after which a successful address verification probe needs to be refreshed.
address_verify_negative_cache (yes) - Enable caching of failed address verification probe results.
address_verify_negative_expire_time (3d) - The time after which a failed probe expires from the address verification cache.
address_verify_negative_refresh_time (3h) - The time after which a failed address verification probe needs to be refreshed.

MySQL Proxy

Performance and reliability under high load will be much improved if you use the Postfix proxymap service with your MySQL interface. This allows MySQL query connections to be shared among Postfix smtpd processes; without it, you will need much higher-end database hardware as Postfix will need to spawn a number of SQL connections for every smtpd or cleanup process. This problem typically only shows up under high load, just when you least want to see it.

To access MySQL via proxymap, change the MySQL maps lines above to read (example):

virtual_alias_maps = proxy:mysql:/usr/local/etc/postfix/mysql_virtual_alias_maps.cf
virtual_mailbox_domains = proxy:mysql:/usr/local/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_maps = proxy:mysql:/usr/local/etc/postfix/mysql_virtual_mailbox_maps.cf

More RBL lists and stuff

       reject_rbl_client relays.ordb.org,
       reject_rbl_client relays.visi.com,
       reject_rbl_client sbl-xbl.spamhaus.com,
       reject_rbl_client sbl.spamhaus.com,
       reject_rbl_client xbl.spamhaus.com,
       reject_rbl_client hil.habeas.com,
       reject_rbl_client bl.spamcop.net,
       reject_rbl_client list.dsbl.org,
       reject_rbl_client combined.njabl.org,
       reject_rbl_client opm.blitzed.org,
       reject_rbl_client dnsbl.sorbs.net,
       reject_rbl_client dul.dnsbl.sorbs.net,
       reject_rbl_client cn-kr.blackholes.us,
       reject_rbl_client singapore.blackholes.us,
       reject_rbl_client malaysia.blackholes.us,
       reject_rbl_client nigeria.blackholes.us,
       reject_rbl_client cbl.abuseat.org,
       reject_rbl_client combined.njabl.org,
       reject_rbl_client dnsbl.ahbl.org,
       reject_rbl_client dynablock.njabl.org,
       reject_rbl_client l0.spews.dnsbl.sorbs.net,
       reject_rbl_sender relays.ordb.org,
       reject_rbl_sender relays.visi.com,
       reject_rbl_sender sbl-xbl.spamhaus.com,
       reject_rbl_sender sbl.spamhaus.com,
       reject_rbl_sender xbl.spamhaus.com,
       reject_rbl_sender hil.habeas.com,
       reject_rbl_sender bl.spamcop.net,
       reject_rbl_sender list.dsbl.org,
       reject_rbl_sender combined.njabl.org,
       reject_rbl_sender opm.blitzed.org,
       reject_rbl_sender dnsbl.sorbs.net,
       reject_rbl_sender dul.dnsbl.sorbs.net,
       reject_rbl_sender cn-kr.blackholes.us,
       reject_rbl_sender singapore.blackholes.us,
       reject_rbl_sender malaysia.blackholes.us,
       reject_rbl_sender nigeria.blackholes.us,
       reject_rbl_sender cbl.abuseat.org,
       reject_rbl_sender combined.njabl.org,
       reject_rbl_sender dnsbl.ahbl.org,
       reject_rbl_sender dynablock.njabl.org,
       reject_rbl_sender l0.spews.dnsbl.sorbs.net,
       reject_rhsbl_sender dsn.rfc-ignorant.org,
       reject_rhsbl_client blackhole.securitysage.com,
       reject_rhsbl_sender blackhole.securitysage.com,

signature

If you haven't set it up, try this:

 (postfix: master.cf  you can set up different ip addresses, aliases, and send 'local' email to one of them:

In this case, the default is to filter. But, if coming in through 127.0.0.1 (already filtered, amavis→postfix and back) no filter.

 smtp      inet  n       -       n       -       -       smtpd   -o content_filter=dfilt:
 127.0.0.1:smtp inet n   -       n       -       -       smtpd
 dfilt     unix    -       n       n       -       -       pipe flags=Rq user=filter 
   argv=/usr/local/etc/postfix/disclaimer -f ${sender} -- ${recipient}

/usr/local/etc/postfix/disclaimer is:

  # Localize these.
  INSPECT_DIR=/var/spool/filter
  SENDMAIL=/usr/sbin/sendmail

  # Exit codes from 
  EX_TEMPFAIL=75
  EX_UNAVAILABLE=69

  # Clean up when done or when aborting.
  trap "rm -f in.$$" 0 1 2 3 15
  
  # Start processing.
  cd $INSPECT_DIR || { echo $INSPECT_DIR does not exist; exit
  $EX_TEMPFAIL; }

  cat >in.$$ || { echo Cannot save mail to file; exit $EX_TEMPFAIL; }

  /usr/local/bin/altermime --input=in.$$ --htmltoo \
                   --disclaimer=/var/amavis/etc/disclaimer.txt \
                   --xheader="X-Confidential-Material: Please visit http://www.secnap.com" || \
                     { echo Message content rejected; exit $EX_UNAVAILABLE; }

  $SENDMAIL "$@"