Re: Postfix as default MTA?

[Craig Sanders <cas@taz.net.au>]

On Mon, Jun 28, 1999 at 04:56:08PM -0700, Chris Waters wrote:
> Craig Sanders <cas@taz.net.au> writes:
> 
> > postfix is secure, very fast, and very configurable...and it's
> > probably the easiest of all the MTAs to configure.
>
> Easier than exim?  I was all set to object, because exim is the only
> MTA so far that I (a programmer, not a sysadmin) have been ABLE to
> figure out at all.  And I really think our default should be something
> that the average joe has a *chance* of figuring out.  But if postfix
> *is* actually easier than exim, then I'll withdraw my objection before
> I even post it. :-)

i find it much easier than exim. however, that's a subjective judgement,
not "objective fact".

it's got a "plain english" config file, well documented with comments
and examples. the defaults work fine for simple installs. changing the
configuration is mostly a matter of uncommenting or making minor changes
to sample lines in the main.cf file.

in general, i find postfix configuration to be very logical and
straightforward.  YMMV.


probably the hardest thing about configuring postfix is tweaking the
anti-spam rules until they do exactly what you want - and even that is
much easier than anything else i've used.

after several months of tweaking, i've settled on the following
anti-spam rules (which is probably overkill for most sites):

header_checks = pcre:/etc/postfix/badheaders

    this is a text file which contains perl-compatible regexps (PCRE)
    describing headers i want to reject (e.g. "To:.*friend@public.com").
    i prefer PCRE, but posix regexps are available too.

    i used to do this kind of spam filtering in procmail - it's a lot
    less load on the system to do it in the smtp receipt stage. i have
    wanted this feature for years...i know exim has something similar
    but exim wasn't really suitable for my needs.

smtpd_recipient_restrictions = check_recipient_access pcre:/etc/postfix/pcre.cf,
                             reject_unknown_sender_domain,
                             reject_non_fqdn_sender,
                             reject_non_fqdn_recipient,
                             reject_invalid_hostname,
                             reject_unknown_recipient_domain,
                             permit_mynetworks,
                             reject_maps_rbl,
                             hash:/etc/postfix/junk, 
                             permit_mx_backup,
                             check_relay_domains

/etc/postfix/junk is a hashed db where i list things (domains, email
addresses) which i want to explicitly accept or reject (RHS = "OK" or
"REJECT"). 

/etc/postfix/pcre.cf is a text file containing the following two PCREs:

	/^(?!owner-)(.*)-outgoing@(.*)$/        550 Use ${1}@${2} instead
	/^(postmaster|abuse|hostmaster|root)@/  OK

these two reject mail to *-outgoing aliases, and accept all mail to/from
postmaster, abuse, hostmaster, and root (bypassing all other checks
because it is the first listed restriction).


the order of the options is significant - the *first* rule which returns
an OK or a REJECT code is what counts. this is probably the point where
most confusion will come from...fortunately it is really easy to explain
the rule :)


there are other anti-spam options, but the above are more than enough
for most sites.



on a final note, probably the worst thing about postfix is that it sends
a very friendly bounce message which tends to encourage users to write
and ask for help, even though the reason for the bounce is clearly
stated...most replies to such questions are slightly less sarcastic
versions of "the reason why your message bounced with a message saying
'unknown user' is that there is no such user on our system".

this is a user wetware problem rather than a software problem, though.


craig

--
craig sanders