Hi,
I propose to set up a basic antispam / antivirus check on the mailing list server. The administration of mailing lists became a burden due to spams and virus.
I propose several steps: * first blocking mails from invalid domains and virus. This take very little server resource, but should remove a big part of unwanted trafic. * if this is not enough, then setting a specific antispam with Spamassassin for blocking most unwanted mails. This will also require more server resources.
Here below are the rules I propose to implement for the first step. These are the rules I use myself for the last 2 years.
======================== /etc/postfix/main.cf:
smtpd_helo_required = yes disable_vrfy_command = yes
unknown_address_reject_code = 554 unknown_client_reject_code = 554 unknown_hostname_reject_code = 554
# Default: not needed smtpd_recipient_restrictions = reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, reject_unauth_destination, reject_rbl_client relays.ordb.org, reject_rbl_client opm.blitzed.org, reject_rbl_client list.dsbl.org, reject_rbl_client sbl.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client dul.dnsbl.sorbs.net, reject_rbl_client blackholes.easynet.nl, reject_rbl_client proxies.blackholes.wirehub.net, reject_rbl_client bl.spamcop.net, reject_rbl_client dnsbl.njabl.org, permit
smtpd_client_restrictions = permit_mynetworks, reject_unknown_client, reject_unknown_sender_domain, reject_non_fqdn_sender, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_pipelining, reject_unauth_destination, reject_rbl_client relays.ordb.org, reject_rbl_client opm.blitzed.org, reject_rbl_client list.dsbl.org, reject_rbl_client sbl.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client dul.dnsbl.sorbs.net, reject_rbl_client blackholes.easynet.nl, reject_rbl_client proxies.blackholes.wirehub.net, reject_rbl_client bl.spamcop.net, reject_rbl_client dnsbl.njabl.org, permit
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, reject_unknown_hostname, reject_non_fqdn_hostname
smtpd_sender_restrictions = reject_unknown_sender_domain, reject_non_fqdn_sender, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, reject_unauth_destination, reject_rbl_client relays.ordb.org, reject_rbl_client opm.blitzed.org, reject_rbl_client list.dsbl.org, reject_rbl_client sbl.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client dul.dnsbl.sorbs.net, reject_rbl_client blackholes.easynet.nl, reject_rbl_client proxies.blackholes.wirehub.net, reject_rbl_client bl.spamcop.net, reject_rbl_client dnsbl.njabl.org, permit
header_checks = regexp:/etc/postfix/header_checks mime_header_checks = regexp:/etc/postfix/mime_header_checks
========== /etc/postfix/mime_header_checks:
/.*name=".*.(exe|pif|zip|scr|com|dat|vbs)"/ REJECT
========== /etc/postfix/header_checks: (new rules could be added as needed)
/Subject:.*Hydrocodone.*/ REJECT /Subject:.*Valium.*/ REJECT /Subject:.*Vicodin.*/ REJECT /Subject:.*Pharmacy.*/ REJECT /Subject:.*Xanax.*/ REJECT /Subject:.*Rolex.*/ REJECT /Subject:.*VIAGRA.*/ REJECT /Subject:.*Network Critical Update.*/ REJECT
Regards, Yann
wikitech-l@lists.wikimedia.org