MostlyChris

Thoughts that are my own.

Blocking Spam With Postfix

Here is a test post from my other blog to see how formatting works.

I stole this from here.

I think it’s well worth configuring Postfix with these options (tuned to your exact needs, of course) to block SPAM.

Blocking spammers with Postfix alone

The battle between email admins and spammers is an ongoing arms race. The spammers are at a disadvantage because by and large, they have to rely on exploiting vulnerable systems to send their mail. With the ever growing size of botnets, they have a pretty large pool of exploited systems to send from, but Postfix can be configured to weed out most of that.

I’ve used the following configuration for many systems that were being plagued by spam problems. In many cases, SpamAssassin was doing the job, but it was having to process so much junk that it was putting an amazing amount of load on the server. After adding this to the Postfix configuration, Postfix was able to reject mail before it came into the queue, thereby reducing the amount of mail that made it through to SpamAssassin.

Add to /etc/postfix/main.cf

smtpd_delay_reject = yes
smtpd_helo_required = yes
disable_vrfy_command = yes

smtpd_helo_restrictions =
    permit_mynetworks,
    reject_non_fqdn_helo_hostname,
    reject_invalid_helo_hostname,
    #reject_unknown_helo_hostname,
    permit

smtpd_sender_restrictions =
    permit_sasl_authenticated,
    permit_mynetworks,
    reject_non_fqdn_sender,
    reject_unknown_sender_domain,
    permit

smtpd_client_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_pipelining,
    reject_rbl_client bl.spamcop.net,
    reject_rbl_client zen.spamhaus.org,
    permit

smtpd_recipient_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    check_recipient_access hash:/etc/postfix/denied_recipients,
    reject_non_fqdn_recipient,
    reject_unknown_recipient_domain,
    reject_unauth_destination,
    permit

Comments