What is this? From this page you can use the Social Web links to save Preventing Spam with Postfix configuration files to a social bookmarking site, or the E-mail form to send a link via e-mail.

Social Web

E-mail

E-mail It
January 19, 2006

Preventing Spam with Postfix configuration files

Posted in: PostFix,Spam

Spam is a very annoying experience. People try to do everything to get their stuff sold, while others try everything possible not to receive these messages. Having your own mail-server makes you vulnerable for spammers when you don’t configure your mail-server properly. Luckily the default configuration settings in Postfix make your server secure enough and don’t create an email server anyone can abuse.

One thing you would want to avoid is that regular email that you want to receive is not blocked. Spam filters check for keywords and block email based on the content of the email, this might be useful until your best friend starts boasting about his adventures with viagra via email. Before I started experimenting with spam filters I wanted to find out what else one could to reduce the amount of spam.

Postfix has some interesting features that will help in preventing spammers sending you or using your server to send spam. One of the things most spammer do is write simple programs that are able to use SMTP commands to send mail. They implement a very limited amount of the instruction set that will just allow them to send mail.

Fighting those spammer programs is easy, just force them to use a more complicated dialogue. In our case force them to first send a HELO or EHLO command before you start receiving email. To configure this you need to add the following lines to your /etc/postfix/main.cf configuration file:

smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions =
  permit_mynetworks,
  reject_non_fqdn_hostname,
  reject_invalid_hostname,
  permit

The first line is there to fix support for certain broken clients. The second line rejects incoming connections if clients are unable to send the HELO of EHLO command. The fourth line allows connections from clients in your network (defined earlier). The last three lines are an added bonus in that they reject connections from hosts that don’t identify themselves correctly, such as “MAILSERVER” or “HOST@194.163!aol.com”

To check the rejects that are happening you could add the line warn_if_reject in between. This will log all the rejections in the /var/log/mail.log file. It would look like:

permit_mynetworks,
warn_if_reject,
reject_non_fqdn_hostname,

You can also put some restrictions on the sender side of the messages. The sender should be authenticated and use a legal domain-name and address:

smtpd_sender_restrictions =
  warn_if_reject,
  permit_sasl_authenticated,
  permit_mynetworks,
  reject_non_fqdn_sender,
  reject_unknown_sender_domain,
  permit

I already added the line warn_if_reject, I would like to know when something is rejected.

The same can be done for recipients, with some added bonuses:

smtpd_recipient_restrictions =
  reject_unauth_pipelining,
  reject_non_fqdn_recipient,
  reject_unknown_recipient_domain,
  permit_mynetworks,
  permit_sasl_authenticated,
  reject_unauth_destination,
  warn_if_reject,
  reject_non_fqdn_hostname,
  reject_non_fqdn_sender,
  reject_invalid_hostname,
  reject_rbl_client relays.ordb.org,
  reject_rbl_client opm.blitzed.org,
  reject_rbl_client list.dsbl.org,
  reject_rbl_client bl.spamcop.net,
  reject_rbl_client sbl-xbl.spamhaus.org,
  permit

Many spammers send a series of commands without waiting for authorisation, in order to deliver their messages as quickly as possible. The first line rejects messages from those attempting to do this. The second and third line should be familiar by now. The fourth and fifth allow known users that are authenticated and computers in your own network. The sixth line is critically important, it will reject all emails for domains not listed with our server. So, domains not available in our virtual domain list.

The last lines are a list of servers that keep a list of open relay servers. Every incoming connection is checked on ip-address and/or domain name if it is a known spam server. All mails from servers listed at these databases will be rejected.

I’ve listed these servers that I know of. You yourselves should check which one you want to use check their reputation and policies toward adding new entries. Evaluate each list for yourself before using their databases to reject messages.

I’ve noticed the amount of incoming spam dropping significantly after adding these lines in my configuration. If you use these settings, check the logfile regularly for warnings of rejection that you might not want.


Return to: Preventing Spam with Postfix configuration files