Postfix – Blocking spam before it enters the server

Postfix – Blocking spam before it enters the server

Posted in DNSBL E-mail E-mail spam Extended SMTP Mail transfer agents Postfix Spam filtering
When i first setup the server part 1 and part 2 i used the basic setting for postfix but soon found that i could reduce the amount of spam and load on the server by rejecting it before accepting it, i will do this by forcing mail servers that wanna deliver mail to me to be configured correctly and by using a few RBL (Real-time Blacklists).

Since i use Webmin i just navigate to “servers”, “Posfix Mail server” then click “Edit Config Files” or manually edit “/etc/postfix/main.cf”

Below is my new config file – obviously change the IP’s to your IP’s and the domains to yours.

########################################################
inet_protocols = all
inet_interfaces = 127.0.0.1, 192.168.0.200, [2001:470:1f09:d2b::220], [::1]
smtp_bind_address = 192.168.0.200
smtp_bind_address6 = [2001:470:1f09:d2b::220]
myorigin = $mydomain
mynetworks = 127.0.0.0/8, 192.168.0.200, [2001:470:1f09:d2b::/64], [::1/128]
myhostname = mail.example.com
mydomain = example.com
mydestination = $myhostname, $mydomain, localhost.$mydomain, localhost

virtual_alias_domains = example.co.uk, example2.com, example3.com, example2.co.uk
virtual_alias_maps = hash:/etc/postfix/virtual

smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_hostname, reject_invalid_hostname, permit

smtpd_sender_restrictions =permit_sasl_authenticated, permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit

smtpd_recipient_restrictions = permit_mynetworks, permit_inet_interfaces, permit_sasl_authenticated, reject_unauth_pipelining, reject_invalid_hostname, reject_non_fqdn_hostname, reject_unknown_recipient_domain, reject_unauth_destination, reject_rbl_client dnsbl.sorbs.net, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, permit

policyd-spf_time_limit = 3600
smtpd_client_restrictions = permit_tls_all_clientcerts, reject_unauth_pipelining

2bounce_notice_recipient = webmaster@example.com
error_notice_recipient = webmaster@example.com
bounce_notice_recipient = webmaster@example.com

smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_tls_key_file = /etc/postfix/ssl/key.pem
smtpd_tls_cert_file = /etc/postfix/ssl/mail.example.com.pem
smtpd_tls_CAfile = /etc/postfix/ssl/sub.class1.server.ca.pem
smtpd_error_sleep_time = 5s

smtp_use_tls = yes
smtpd_tls_auth_only = no
smtp_tls_note_starttls_offer = yes
smtpd_use_tls = yes
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s

tls_random_source = dev:/dev/urandom
disable_vrfy_command = yes
unknown_client_reject_code = 550
unknown_hostname_reject_code = 550
unknown_address_reject_code = 550

some people might say this is quite restrictive as it will block any mail server that is mis-configured or using a dynamic ip, or been blocked for sending spam but i have found it blocks 95% of the spam i was receiving beforehand without using a spam filter (thus reducing the load on the server) and i haven’t seen any downsides as all legit mail is getting through fine.

I’ll try and explain what the main changes are. There are 3 main sections I changed “smtpd_helo_restrictions”, “smtpd_sender_restrictions” and “smtpd_recipient_restrictions”

smtpd_sender_restrictions =permit_sasl_authenticated, permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit
This allows my networks and users that have authenticated themselves to connect but blocks any servers that haven’t configured a valid hostname for there mail server (should always use a proper domain name i.e. myhostname = mail.example.com) and also stops people trying to relay mail through my server.

smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_hostname, reject_invalid_hostname, permit
When mail servers communicate with each other they say hello and identify themselves, this setting allows my networks to connect but blocks any servers that haven’t configured a valid hostname for there mail server (should always use a proper domain name i.e. myhostname = mail.example.com)

smtpd_recipient_restrictions = permit_mynetworks, permit_inet_interfaces, permit_sasl_authenticated, reject_unauth_pipelining, reject_non_fqdn_hostname, reject_unknown_recipient_domain, reject_unauth_destination, reject_invalid_hostname, reject_rbl_client dnsbl.sorbs.net, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, permit
This setting does the same as the above commands except it rejects mail servers that have been listed on RBL (Real-time Blacklists) you can google for more RBL lists but these do just fine for me.
I use dnsbl.sorbs.net, zen.spamhaus.org and bl.spamcop.net

If you want a more detailed explanation of what each option does have a read of Postfix Configuration Parameters it lists every option going.

I have also setup SPF checking and a white-list just in-case a valid email server gets on the RBL list. SPF can be studied in previous article.