Configuring Postfix to reduce SPAM
   
 
Search:
Running on lighttpd
PHP|Powered
  
  @eddiegeorgejon:
    more...     		 
       
     

    Configuring Postfix to reduce SPAM

    So, SPAM is annoying. We all know that, but what can be done? Well, Postfix (a Unix MTA) has a number of features that help cut down on the crap.

    You can access my entire /etc/postfix/main.cf file verbatim, or take a look below at some anti-SPAM highlights.

    mydestination =
	abstractlogic.net,
	sqrt2.abstractlogic.net,
	localhost.abstractlogic.net,
	localhost
relayhost =

    These are probably the most important parameters to prevent your host from becoming a spammer’s dream. mydestination tells postfix which domains are handled by this host. relayhost specifies which hosts you will relay for. This should always be empty for small simple mail sites.

    smtpd_delay_reject = yes

    This is just an annoyance for spammers. If postfix is going to reject a connection/destination/whatever, it will not do it immediately. This has the effect of slowing down spammers who are trying to hit you, reducing the connection attempts per unit time.

    smtpd_helo_required = yes
smtpd_helo_restrictions =
	permit_mynetworks,
	reject_non_fqdn_hostname,
	reject_invalid_hostname,
	permit

    Here, the HELO or EHLO message must be the first thing a client says. Also, the host they claim to be must be either (a) on your network, or (b) from a fully-qualified domain name. It is amazing how many spammers use invalid HELO messages.

    smtpd_sender_restrictions =
	permit_sasl_authenticated,
	permit_mynetworks,
	reject_non_fqdn_sender,
	reject_unknown_sender_domain,
	permit

    This is just a restriction on who can send a message. This is before the message itself is even inspected, so this rule is fairly permissive. Basically, you must have a proper DNS entry or be SASL authenticated to send messages to/through my server.

    smtpd_recipient_restrictions =
	reject_unauth_pipelining,
	reject_non_fqdn_recipient,
	reject_unknown_recipient_domain,
	permit_mynetworks,
	permit_sasl_authenticated,
	reject_unauth_destination,
	#reject_rbl_client relays.ordb.orrg,
	#reject_rbl_client list.dsbl.org,
	#reject_rbl_client sbl-xbl.spamhaus.org,
	#check_policy_service unix:private/spfpolicy,
	#check_policy_service inet:127.0.0.1:10023,
	check_policy_service inet:127.0.0.1:60000,
	permit

    When the MTA is receiving a message, the message filtered through this block. It will accept mail coming into one of our networks, or accept mail for anyone if the sending users is authenticated. The commented lines are optional checks against blacklists and various other distributed spam checkers. Policy servers are separate servers running to process mail. I have one enabled on port 60000. This server is a greylist server. It delays SPAM by sending a “try again later” message. Finally, after all other checks have passed, the message is accepted and queued for delivery to whomever it is addressed to.

    If anyone else has interesting tips/ideas to cut down on SPAM, I’d love to hear about them.

    This entry was posted on Sunday, April 13th, 2008 at 14:43 and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.

    		 
     

    Leave a Reply