≡ Menu

Postfix configure anti spam with blacklist

Postfix is free and powerful MTA. You can easily configure Postfix to block spam. You need to add
following directives to /etc/postfix/main.cf file:

=> disable_vrfy_command = yes : Disable the SMTP VRFY command. This stops some techniques used to harvest email addresses.

=> smtpd_delay_reject = yes : It allows Postfix to log recipient address information when rejecting a client name/address or sender address, so that it is possible to find out whose mail is being rejected.

=> smtpd_helo_requi
red = yes
: Require that a remote SMTP client introduces itself at the beginning of an SMTP session with the HELO or EHLO command. Many spam bot ignores HELO/EHLO command and you save yourself from spam. Following lines further restrictions on HELO command:
smtpd_helo_restrictions = permit_mynetworks,
reject_non_fqdn_hostname, Reject email if remote hostname is not in fully-qualified domain form. Usually bots sending email don't have FQDN names.
reject_invalid_hostname, Reject all bots sending email from computers connected via DSL/ADSL computers. They don't have valid internet hostname.
permit

You can put the following access restrictions that the Postfix SMTP server applies in the context of the RCPT TO command.
=> smtpd_recipient_restrictions =
reject_invalid_hostname, - Reject email if it not valid hostname
reject_non_fqdn_hostname, - Reject email if it not valid FQDN
reject_non_fqdn_sender, - Reject the request when the MAIL FROM address is not in fully-qualified domain form. For example email send from xyz or abc is rejected.
reject_non_fqdn_recipient, - Reject the request when the RCPT TO address is not in fully-qualified domain form
reject_unknown_sender_domain, - Reject email, if sender domain does not exists
reject_unknown_recipient_domain, Reject email, if recipient domain does not exists
permit_mynetworks,
reject_rbl_client list.dsbl.org, Configure spam black lists
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client dul.dnsbl.sorbs.net,
permit

Open /etc/postfix/main.cf file :
# vi /etc/postfix/main.cf
Set/modify configuration as follows

disable_vrfy_command = yes
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,
     reject_non_fqdn_hostname,
     reject_invalid_hostname,
     permit
smtpd_recipient_restrictions =
   permit_sasl_authenticated,
   reject_invalid_hostname,
   reject_non_fqdn_hostname,
   reject_non_fqdn_sender,
   reject_non_fqdn_recipient,
   reject_unknown_sender_domain,
   reject_unknown_recipient_domain,
   permit_mynetworks,
   reject_rbl_client list.dsbl.org,
   reject_rbl_client sbl.spamhaus.org,
   reject_rbl_client cbl.abuseat.org,
   reject_rbl_client dul.dnsbl.sorbs.net,
   permit
smtpd_error_sleep_time = 1s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20

Also force (highlighted using red color) Postfix to limit incoming or receiving email rate to avoid spam.

Save and close the file. Restart postfix:
# /etc/init.d/postfix restart

Watch out maillog file. Now you should see lots of spam email blocked by above configuration directive:
# tail -f /var/log/maillog
Output:

Jan  9 06:07:22 server postfix/smtpd[10308]: NOQUEUE: reject: RCPT from 183-12-81.ip.adsl.hu[81.183.12.81]: 554 Service unavailable; Client host [81.183.12.81] blocked using dul.dnsbl.sorbs.net; Dynamic IP Addresses See: http://www.sorbs.net/lookup.shtml?81.183.12.81; from= to= proto=ESMTP helo=<183-12-230.ip.adsl.hu>
Jan  9 06:07:23 server postfix/smtpd[10308]: lost connection after RCPT from 183-12-81.ip.adsl.hu[81.183.12.81]
Jan  9 06:07:23 server postfix/smtpd[10308]: disconnect from 183-12-81.ip.adsl.hu[81.183.12.81]
Jan  9 06:10:43 server postfix/anvil[10310]: statistics: max connection rate 1/60s for (smtp:81.183.12.81) at Jan  9 06:07:17
Jan  9 06:10:43 server postfix/anvil[10310]: statistics: max connection count 1 for (smtp:81.183.12.81) at Jan  9 06:07:17
Jan  9 06:10:43 server postfix/anvil[10310]: statistics: max cache size 1 at Jan  9 06:07:17
Jan  9 06:16:58 server postfix/smtpd[10358]: warning: 81.92.197.249: address not listed for hostname unassigned.or.unconfigured.reverse.nfsi-telecom.net
Jan  9 06:16:58 server postfix/smtpd[10358]: connect from unknown[81.92.197.249]
Jan  9 06:17:00 server postfix/smtpd[10358]: NOQUEUE: reject: RCPT from unknown[81.92.197.249]: 550 : Recipient address rejected: User unknown in virtual alias table; from=<> to= proto=ESMTP helo=
Jan  9 06:17:00 server postfix/smtpd[10358]: disconnect from unknown[81.92.197.249]

Next time I will write about simple procmail and spamassassin combination to filter out spam :)

Tweet itFacebook itGoogle+ itPDF itFound an error/typo on this page?

{ 16 comments… add one }

  • Thomas February 10, 2008, 11:09 am

    Hi,

    thank you for the HOWTO – I added the described rules into my config … I will see, what happens :-)

    Thomas

  • Aaron February 21, 2008, 10:39 pm

    Using your rules. Thanks so much. Let’s see what happens.

  • Lee March 14, 2008, 6:57 am

    Thanks for the great writeup!

    One note,without the addition of
    reject_unauth_destination to smtpd_recipient_restrictions,

    I got an error.
    postfix/smtpd[6726]: fatal: parameter “smtpd_recipient_restrictions”: specify at least one working instance of: check_relay_domains, reject_unauth_destination, reject, defer or defer_if_permit

  • Raul November 12, 2008, 9:01 pm

    Thank you!. With this howto I’m locking spam in 5 minutes

  • B SengUK January 27, 2009, 12:51 am

    I’m having issues with:

    smtpd_helo_restrictions = permit_mynetworks,
    reject_non_fqdn_hostname,
    reject_invalid_hostname,
    permit

    not allowing me to send mails — I get a sys admin return saying invalid fqdn as follows:

    Your message did not reach some or all of the intended recipients.

    Subject: Testing 123
    Sent: 27/01/2009 00:39

    The following recipient(s) could not be reached:

    ************ on 27/01/2009 00:39
    504 5.5.2 : Helo command rejected: need fully-qualified hostname

    Any ideas as I really need to stop SPAM asap

    • Asghar Durrani August 19, 2015, 7:34 pm

      I am having same issue, did you resolve your issue ?

  • Matt Lunn January 27, 2009, 8:07 pm

    Thanks for the informative and easy to understand/ follow tip.

    Hopefully this will stop unauthorised people using my new mail server!

  • DaveQB April 1, 2009, 1:13 pm

    B SengUK,
    Did you sort that out?
    Seemed the recipients domain name’s was not in full.
    What was the email address you were sending to?

  • B SengUK July 10, 2009, 6:14 pm

    I never sorted this out fully, although I have got spam assassin working which identifies masses of mails coming through the server.

    The issue I tihnk is with the authentication and reject_invalid_hostname combination. My mail is sent from my outlook (and those other users of the server) through a cable connection. Although this theoretically should be OK I can only get mail to send without this coomand in place – and from what I found out this is the one that will make the most difference :(

    Currently I have the following set in main.cf

    # Following entries REQUIRED by Matrix control panel
    virtual_maps = hash:/etc/postfix/virtual
    transport_maps = hash:/etc/postfix/transport
    virtual_mailbox_domains = $transport_maps
    local_destination_concurrency_limit = 1
    maildrop_destination_concurrency_limit = 1
    maildrop_destination_recipient_limit = 1
    relay_domains = $mydestination
    smtpd_recipient_restrictions = reject_invalid_hostname reject_non_fqdn_sender reject_non_fqdn_recipient reject_unknown_sender_domain reject_unknown_recipient_domain permit_sasl_authenticated permit_mynetworks reject_unauth_destination reject_unknown_reverse_client_hostname
    smtpd_sasl_auth_enable = yes

    ### Checks to remove badly formed email
    smtpd_helo_required = yes
    strict_rfc821_envelopes = yes
    disable_vrfy_command = yes
    unknown_address_reject_code = 554
    unknown_hostname_reject_code = 554
    unknown_client_reject_code = 554

    smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, regexp:/etc/postfix/helo.regexp, permit

    check_client_access = reject_rbl_client cbl.abuseat.org, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rhsbl_sender dsn.rfc-ignorant.org, permit
    maximal_queue_lifetime = 3d

    Any advice would be really appreciated .. many thanks in advance.

  • bbgunz August 11, 2009, 2:10 am

    Old bump but i had this problem too

    to fix this:

    smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject _unauth_destination

  • B SengUK August 12, 2009, 9:52 pm

    Already have all that in and more ….

    smtpd_recipient_restrictions = reject_invalid_hostname reject_non_fqdn_sender reject_non_fqdn_recipient reject_unknown_sender_domain reject_unknown_recipient_domain permit_sasl_authenticated permit_mynetworks reject_unauth_destination reject_unknown_reverse_client_hostname

  • kaCza March 21, 2010, 2:41 am

    You forgot commas.

  • ddr-2kpp February 24, 2011, 4:53 pm

    great description, did use it at all, but extend it with
    my policyd-config:

    check_client_access hash:/etc/postfix/pop-before-smtp, reject_unauth_destination, check_policy_service inet:127.0.0.1:10031

  • Vin Laurens June 17, 2014, 10:55 pm

    I know this is old, but for anyone experiencing the same issue as B SengUK; the issue is in the order of the helo restrictions. The order is very important. You should permit_sasl_authenticated first before doing any of the reject lines. Like so:

    smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, etc..

    This way SASL authenticated users will be able to send mail from Outlook, even with non-fqdn hostnames.

  • Zelretch S March 4, 2015, 7:46 am

    I’ve been following the anti spam postfix filtering.
    But one day after i set it, tomorrow the configuration dissapears.
    Please help me with this issue

  • Asghar Durrani August 19, 2015, 7:00 pm

    I have impletemted Postfix configure anti spam with blacklist in my zimbra server. According to my need everything working fine, but i have an issue with. We are also using our local app server and from those server we are sending email using same zimbra server where we have implemented these rules.

    As per my understannding my emails are getting rejected from server because “reject_non_fqdn_hostname” is it possible that allow our own network on server server so our inteernal server communicate email with email server.

    I hope you understand my point, if you need more clarification please feel free to ask.

Leave a Comment