{"id":5235,"date":"2015-10-04T13:29:14","date_gmt":"2015-10-04T05:29:14","guid":{"rendered":"http:\/\/rmohan.com\/?p=5235"},"modified":"2015-10-04T13:29:14","modified_gmt":"2015-10-04T05:29:14","slug":"postfix-blocking-spam-before-it-enters-the-server","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=5235","title":{"rendered":"Postfix &#8211; Blocking spam before it enters the server"},"content":{"rendered":"<p><strong>Postfix &#8211; Blocking spam before it enters the server<br \/>\n<\/strong><br \/>\nPosted in DNSBL E-mail E-mail spam Extended SMTP Mail transfer agents Postfix Spam filtering<br \/>\nWhen i first setup the server part 1 and part 2 i used the basic setting for postfix but soon found that i could reduce the amount of spam and load on the server by rejecting it before accepting it, i will do this by forcing mail servers that wanna deliver mail to me to be configured correctly and by using a few RBL (Real-time Blacklists).<\/p>\n<p>Since i use Webmin i just navigate to &#8220;servers&#8221;, &#8220;Posfix Mail server&#8221; then click &#8220;Edit Config Files&#8221; or manually edit &#8220;\/etc\/postfix\/main.cf&#8221;<\/p>\n<p>Below is my new config file &#8211; obviously change the IP&#8217;s to your IP&#8217;s and the domains to yours.<\/p>\n<p>########################################################<br \/>\ninet_protocols = all<br \/>\ninet_interfaces = 127.0.0.1, 192.168.0.200, [2001:470:1f09:d2b::220], [::1]<br \/>\nsmtp_bind_address = 192.168.0.200<br \/>\nsmtp_bind_address6 = [2001:470:1f09:d2b::220]<br \/>\nmyorigin = $mydomain<br \/>\nmynetworks = 127.0.0.0\/8, 192.168.0.200, [2001:470:1f09:d2b::\/64], [::1\/128]<br \/>\nmyhostname = mail.example.com<br \/>\nmydomain = example.com<br \/>\nmydestination = $myhostname, $mydomain, localhost.$mydomain, localhost<\/p>\n<p>virtual_alias_domains = example.co.uk, example2.com, example3.com, example2.co.uk<br \/>\nvirtual_alias_maps = hash:\/etc\/postfix\/virtual<\/p>\n<p>smtpd_delay_reject = yes<br \/>\nsmtpd_helo_required = yes<br \/>\nsmtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_hostname, reject_invalid_hostname, permit<\/p>\n<p>smtpd_sender_restrictions =permit_sasl_authenticated, permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit<\/p>\n<p>smtpd_recipient_restrictions = permit_mynetworks, permit_inet_interfaces, permit_sasl_authenticated, reject_unauth_pipelining, reject_invalid_hostname, reject_non_fqdn_hostname, reject_unknown_recipient_domain, reject_unauth_destination, reject_rbl_client dnsbl.sorbs.net, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, permit<\/p>\n<p>policyd-spf_time_limit = 3600<br \/>\nsmtpd_client_restrictions = permit_tls_all_clientcerts, reject_unauth_pipelining<\/p>\n<p>2bounce_notice_recipient = webmaster@example.com<br \/>\nerror_notice_recipient = webmaster@example.com<br \/>\nbounce_notice_recipient = webmaster@example.com<\/p>\n<p>smtpd_sasl_local_domain =<br \/>\nsmtpd_sasl_auth_enable = yes<br \/>\nbroken_sasl_auth_clients = yes<br \/>\nsmtpd_sasl_authenticated_header = yes<br \/>\nsmtpd_tls_key_file = \/etc\/postfix\/ssl\/key.pem<br \/>\nsmtpd_tls_cert_file = \/etc\/postfix\/ssl\/mail.example.com.pem<br \/>\nsmtpd_tls_CAfile = \/etc\/postfix\/ssl\/sub.class1.server.ca.pem<br \/>\nsmtpd_error_sleep_time = 5s<\/p>\n<p>smtp_use_tls = yes<br \/>\nsmtpd_tls_auth_only = no<br \/>\nsmtp_tls_note_starttls_offer = yes<br \/>\nsmtpd_use_tls = yes<br \/>\nsmtpd_tls_loglevel = 1<br \/>\nsmtpd_tls_received_header = yes<br \/>\nsmtpd_tls_session_cache_timeout = 3600s<\/p>\n<p>tls_random_source = dev:\/dev\/urandom<br \/>\ndisable_vrfy_command = yes<br \/>\nunknown_client_reject_code = 550<br \/>\nunknown_hostname_reject_code = 550<br \/>\nunknown_address_reject_code = 550<\/p>\n<p>some people might say this is quite restrictive as it will block any mail server that is mis-configured or using a dynamic ip, or been blocked for sending spam but i have found it blocks 95% of the spam i was receiving beforehand without using a spam filter (thus reducing the load on the server) and i haven&#8217;t seen any downsides as all legit mail is getting through fine.<\/p>\n<p>I&#8217;ll try and explain what the main changes are. There are 3 main sections I changed &#8220;smtpd_helo_restrictions&#8221;, &#8220;smtpd_sender_restrictions&#8221; and &#8220;smtpd_recipient_restrictions&#8221;<\/p>\n<p>smtpd_sender_restrictions =permit_sasl_authenticated, permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit<br \/>\nThis allows my networks and users that have authenticated themselves to connect but blocks any servers that haven&#8217;t configured a valid hostname for there mail server (should always use a proper domain name i.e. myhostname = mail.example.com) and also stops people trying to relay mail through my server.<\/p>\n<p>smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_hostname, reject_invalid_hostname, permit<br \/>\nWhen mail servers communicate with each other they say hello and identify themselves, this setting allows my networks to connect but blocks any servers that haven&#8217;t configured a valid hostname for there mail server (should always use a proper domain name i.e. myhostname = mail.example.com)<\/p>\n<p>smtpd_recipient_restrictions = permit_mynetworks, permit_inet_interfaces, permit_sasl_authenticated, reject_unauth_pipelining, reject_non_fqdn_hostname, reject_unknown_recipient_domain, reject_unauth_destination, reject_invalid_hostname, reject_rbl_client dnsbl.sorbs.net, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, permit<br \/>\nThis setting does the same as the above commands except it rejects mail servers that have been listed on RBL (Real-time Blacklists) you can google for more RBL lists but these do just fine for me.<br \/>\nI use dnsbl.sorbs.net, zen.spamhaus.org and bl.spamcop.net<\/p>\n<p>If you want a more detailed explanation of what each option does have a read of Postfix Configuration Parameters it lists every option going.<\/p>\n<p>I have also setup SPF checking and a white-list just in-case a valid email server gets on the RBL list. SPF can be studied in previous article.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Postfix &#8211; Blocking spam before it enters the server Posted in DNSBL E-mail E-mail spam Extended SMTP Mail transfer agents Postfix Spam filtering When i first setup the server part 1 and part 2 i used the basic setting for postfix but soon found that i could reduce the amount of spam and load on [&#8230;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[33],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/5235"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5235"}],"version-history":[{"count":1,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/5235\/revisions"}],"predecessor-version":[{"id":5236,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/5235\/revisions\/5236"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5235"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5235"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5235"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}