Postfix is free and powerful MTA. You can easily configure Postfix to block spam. You need to add
following directives to /etc/postfix/main.cf file:
=> disable_vrfy_command = yes : Disable the SMTP VRFY command. This stops some techniques used to harvest email addresses.
=> smtpd_delay_reject = yes : It allows Postfix to log recipient address information when rejecting a client name/address or sender address, so that it is possible to find out whose mail is being rejected.
=> smtpd_helo_requi
red = yes : Require that a remote SMTP client introduces itself at the beginning of an SMTP session with the HELO or EHLO command. Many spam bot ignores HELO/EHLO command and you save yourself from spam. Following lines further restrictions on HELO command:
smtpd_helo_restrictions = permit_mynetworks,
reject_non_fqdn_hostname, Reject email if remote hostname is not in fully-qualified domain form. Usually bots sending email don't have FQDN names.
reject_invalid_hostname, Reject all bots sending email from computers connected via DSL/ADSL computers. They don't have valid internet hostname.
permit
You can put the following access restrictions that the Postfix SMTP server applies in the context of the RCPT TO command.
=> smtpd_recipient_restrictions =
reject_invalid_hostname, - Reject email if it not valid hostname
reject_non_fqdn_hostname, - Reject email if it not valid FQDN
reject_non_fqdn_sender, - Reject the request when the MAIL FROM address is not in fully-qualified domain form. For example email send from xyz or abc is rejected.
reject_non_fqdn_recipient, - Reject the request when the RCPT TO address is not in fully-qualified domain form
reject_unknown_sender_domain, - Reject email, if sender domain does not exists
reject_unknown_recipient_domain, Reject email, if recipient domain does not exists
permit_mynetworks,
reject_rbl_client list.dsbl.org, Configure spam black lists
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client dul.dnsbl.sorbs.net,
permit
Open /etc/postfix/main.cf file :
# vi /etc/postfix/main.cf
Set/modify configuration as follows
disable_vrfy_command = yes
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,
reject_non_fqdn_hostname,
reject_invalid_hostname,
permit
smtpd_recipient_restrictions =
permit_sasl_authenticated,
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
permit_mynetworks,
reject_rbl_client list.dsbl.org,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client dul.dnsbl.sorbs.net,
permit
smtpd_error_sleep_time = 1s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20
Also force (highlighted using red color) Postfix to limit incoming or receiving email rate to avoid spam.
Save and close the file. Restart postfix:
# /etc/init.d/postfix restart
Watch out maillog file. Now you should see lots of spam email blocked by above configuration directive:
# tail -f /var/log/maillog
Output:
Jan 9 06:07:22 server postfix/smtpd[10308]: NOQUEUE: reject: RCPT from 183-12-81.ip.adsl.hu[81.183.12.81]: 554 Service unavailable; Client host [81.183.12.81] blocked using dul.dnsbl.sorbs.net; Dynamic IP Addresses See: http://www.sorbs.net/lookup.shtml?81.183.12.81; from=to= proto=ESMTP helo=<183-12-230.ip.adsl.hu> Jan 9 06:07:23 server postfix/smtpd[10308]: lost connection after RCPT from 183-12-81.ip.adsl.hu[81.183.12.81] Jan 9 06:07:23 server postfix/smtpd[10308]: disconnect from 183-12-81.ip.adsl.hu[81.183.12.81] Jan 9 06:10:43 server postfix/anvil[10310]: statistics: max connection rate 1/60s for (smtp:81.183.12.81) at Jan 9 06:07:17 Jan 9 06:10:43 server postfix/anvil[10310]: statistics: max connection count 1 for (smtp:81.183.12.81) at Jan 9 06:07:17 Jan 9 06:10:43 server postfix/anvil[10310]: statistics: max cache size 1 at Jan 9 06:07:17 Jan 9 06:16:58 server postfix/smtpd[10358]: warning: 81.92.197.249: address not listed for hostname unassigned.or.unconfigured.reverse.nfsi-telecom.net Jan 9 06:16:58 server postfix/smtpd[10358]: connect from unknown[81.92.197.249] Jan 9 06:17:00 server postfix/smtpd[10358]: NOQUEUE: reject: RCPT from unknown[81.92.197.249]: 550 : Recipient address rejected: User unknown in virtual alias table; from=<> to= proto=ESMTP helo= Jan 9 06:17:00 server postfix/smtpd[10358]: disconnect from unknown[81.92.197.249]
Next time I will write about simple procmail and spamassassin combination to filter out spam :)
- Email this to a friend
- Printable version
- Rss Feed
- Last Updated: Jul/4/2007

{ 7 comments… read them below or add one }
Hi,
thank you for the HOWTO – I added the described rules into my config … I will see, what happens :-)
Thomas
Using your rules. Thanks so much. Let’s see what happens.
Thanks for the great writeup!
One note,without the addition of
reject_unauth_destination to smtpd_recipient_restrictions,
I got an error.
postfix/smtpd[6726]: fatal: parameter “smtpd_recipient_restrictions”: specify at least one working instance of: check_relay_domains, reject_unauth_destination, reject, defer or defer_if_permit
Thank you!. With this howto I’m locking spam in 5 minutes
I’m having issues with:
smtpd_helo_restrictions = permit_mynetworks,
reject_non_fqdn_hostname,
reject_invalid_hostname,
permit
not allowing me to send mails — I get a sys admin return saying invalid fqdn as follows:
Your message did not reach some or all of the intended recipients.
Subject: Testing 123
Sent: 27/01/2009 00:39
The following recipient(s) could not be reached:
************ on 27/01/2009 00:39
504 5.5.2 : Helo command rejected: need fully-qualified hostname
Any ideas as I really need to stop SPAM asap
Thanks for the informative and easy to understand/ follow tip.
Hopefully this will stop unauthorised people using my new mail server!
B SengUK,
Did you sort that out?
Seemed the recipients domain name’s was not in full.
What was the email address you were sending to?