Postfix configure anti spam with blacklist

by on January 9, 2007 · 11 comments· Last updated July 4, 2007

Postfix is free and powerful MTA. You can easily configure Postfix to block spam. You need to add
following directives to /etc/postfix/main.cf file:

=> disable_vrfy_command = yes : Disable the SMTP VRFY command. This stops some techniques used to harvest email addresses.

=> smtpd_delay_reject = yes : It allows Postfix to log recipient address information when rejecting a client name/address or sender address, so that it is possible to find out whose mail is being rejected.

=> smtpd_helo_requi
red = yes : Require that a remote SMTP client introduces itself at the beginning of an SMTP session with the HELO or EHLO command. Many spam bot ignores HELO/EHLO command and you save yourself from spam. Following lines further restrictions on HELO command:
smtpd_helo_restrictions = permit_mynetworks,
reject_non_fqdn_hostname, Reject email if remote hostname is not in fully-qualified domain form. Usually bots sending email don't have FQDN names.
reject_invalid_hostname, Reject all bots sending email from computers connected via DSL/ADSL computers. They don't have valid internet hostname.
permit

You can put the following access restrictions that the Postfix SMTP server applies in the context of the RCPT TO command.
=> smtpd_recipient_restrictions =
reject_invalid_hostname, - Reject email if it not valid hostname
reject_non_fqdn_hostname, - Reject email if it not valid FQDN
reject_non_fqdn_sender, - Reject the request when the MAIL FROM address is not in fully-qualified domain form. For example email send from xyz or abc is rejected.
reject_non_fqdn_recipient, - Reject the request when the RCPT TO address is not in fully-qualified domain form
reject_unknown_sender_domain, - Reject email, if sender domain does not exists
reject_unknown_recipient_domain, Reject email, if recipient domain does not exists
permit_mynetworks,
reject_rbl_client list.dsbl.org, Configure spam black lists
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client dul.dnsbl.sorbs.net,
permit

Open /etc/postfix/main.cf file :
# vi /etc/postfix/main.cf
Set/modify configuration as follows

disable_vrfy_command = yes
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,
     reject_non_fqdn_hostname,
     reject_invalid_hostname,
     permit
smtpd_recipient_restrictions =
   permit_sasl_authenticated,
   reject_invalid_hostname,
   reject_non_fqdn_hostname,
   reject_non_fqdn_sender,
   reject_non_fqdn_recipient,
   reject_unknown_sender_domain,
   reject_unknown_recipient_domain,
   permit_mynetworks,
   reject_rbl_client list.dsbl.org,
   reject_rbl_client sbl.spamhaus.org,
   reject_rbl_client cbl.abuseat.org,
   reject_rbl_client dul.dnsbl.sorbs.net,
   permit
smtpd_error_sleep_time = 1s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20

Also force (highlighted using red color) Postfix to limit incoming or receiving email rate to avoid spam.

Save and close the file. Restart postfix:
# /etc/init.d/postfix restart

Watch out maillog file. Now you should see lots of spam email blocked by above configuration directive:
# tail -f /var/log/maillog
Output:

Jan  9 06:07:22 server postfix/smtpd[10308]: NOQUEUE: reject: RCPT from 183-12-81.ip.adsl.hu[81.183.12.81]: 554 Service unavailable; Client host [81.183.12.81] blocked using dul.dnsbl.sorbs.net; Dynamic IP Addresses See: http://www.sorbs.net/lookup.shtml?81.183.12.81; from= to= proto=ESMTP helo=<183-12-230.ip.adsl.hu>
Jan  9 06:07:23 server postfix/smtpd[10308]: lost connection after RCPT from 183-12-81.ip.adsl.hu[81.183.12.81]
Jan  9 06:07:23 server postfix/smtpd[10308]: disconnect from 183-12-81.ip.adsl.hu[81.183.12.81]
Jan  9 06:10:43 server postfix/anvil[10310]: statistics: max connection rate 1/60s for (smtp:81.183.12.81) at Jan  9 06:07:17
Jan  9 06:10:43 server postfix/anvil[10310]: statistics: max connection count 1 for (smtp:81.183.12.81) at Jan  9 06:07:17
Jan  9 06:10:43 server postfix/anvil[10310]: statistics: max cache size 1 at Jan  9 06:07:17
Jan  9 06:16:58 server postfix/smtpd[10358]: warning: 81.92.197.249: address not listed for hostname unassigned.or.unconfigured.reverse.nfsi-telecom.net
Jan  9 06:16:58 server postfix/smtpd[10358]: connect from unknown[81.92.197.249]
Jan  9 06:17:00 server postfix/smtpd[10358]: NOQUEUE: reject: RCPT from unknown[81.92.197.249]: 550 : Recipient address rejected: User unknown in virtual alias table; from=<> to= proto=ESMTP helo=
Jan  9 06:17:00 server postfix/smtpd[10358]: disconnect from unknown[81.92.197.249]

Next time I will write about simple procmail and spamassassin combination to filter out spam :)



You should follow me on twitter here or grab rss feed to keep track of new changes.

Featured Articles:

{ 11 comments… read them below or add one }

1 Thomas February 10, 2008 at 11:09 am

Hi,

thank you for the HOWTO – I added the described rules into my config … I will see, what happens :-)

Thomas

Reply

2 Aaron February 21, 2008 at 10:39 pm

Using your rules. Thanks so much. Let’s see what happens.

Reply

3 Lee March 14, 2008 at 6:57 am

Thanks for the great writeup!

One note,without the addition of
reject_unauth_destination to smtpd_recipient_restrictions,

I got an error.
postfix/smtpd[6726]: fatal: parameter “smtpd_recipient_restrictions”: specify at least one working instance of: check_relay_domains, reject_unauth_destination, reject, defer or defer_if_permit

Reply

4 Raul November 12, 2008 at 9:01 pm

Thank you!. With this howto I’m locking spam in 5 minutes

Reply

5 B SengUK January 27, 2009 at 12:51 am

I’m having issues with:

smtpd_helo_restrictions = permit_mynetworks,
reject_non_fqdn_hostname,
reject_invalid_hostname,
permit

not allowing me to send mails — I get a sys admin return saying invalid fqdn as follows:

Your message did not reach some or all of the intended recipients.

Subject: Testing 123
Sent: 27/01/2009 00:39

The following recipient(s) could not be reached:

************ on 27/01/2009 00:39
504 5.5.2 : Helo command rejected: need fully-qualified hostname

Any ideas as I really need to stop SPAM asap

Reply

6 Matt Lunn January 27, 2009 at 8:07 pm

Thanks for the informative and easy to understand/ follow tip.

Hopefully this will stop unauthorised people using my new mail server!

Reply

7 DaveQB April 1, 2009 at 1:13 pm

B SengUK,
Did you sort that out?
Seemed the recipients domain name’s was not in full.
What was the email address you were sending to?

Reply

8 B SengUK July 10, 2009 at 6:14 pm

I never sorted this out fully, although I have got spam assassin working which identifies masses of mails coming through the server.

The issue I tihnk is with the authentication and reject_invalid_hostname combination. My mail is sent from my outlook (and those other users of the server) through a cable connection. Although this theoretically should be OK I can only get mail to send without this coomand in place – and from what I found out this is the one that will make the most difference :(

Currently I have the following set in main.cf

# Following entries REQUIRED by Matrix control panel
virtual_maps = hash:/etc/postfix/virtual
transport_maps = hash:/etc/postfix/transport
virtual_mailbox_domains = $transport_maps
local_destination_concurrency_limit = 1
maildrop_destination_concurrency_limit = 1
maildrop_destination_recipient_limit = 1
relay_domains = $mydestination
smtpd_recipient_restrictions = reject_invalid_hostname reject_non_fqdn_sender reject_non_fqdn_recipient reject_unknown_sender_domain reject_unknown_recipient_domain permit_sasl_authenticated permit_mynetworks reject_unauth_destination reject_unknown_reverse_client_hostname
smtpd_sasl_auth_enable = yes

### Checks to remove badly formed email
smtpd_helo_required = yes
strict_rfc821_envelopes = yes
disable_vrfy_command = yes
unknown_address_reject_code = 554
unknown_hostname_reject_code = 554
unknown_client_reject_code = 554

smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, regexp:/etc/postfix/helo.regexp, permit

check_client_access = reject_rbl_client cbl.abuseat.org, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rhsbl_sender dsn.rfc-ignorant.org, permit
maximal_queue_lifetime = 3d

Any advice would be really appreciated .. many thanks in advance.

Reply

9 bbgunz August 11, 2009 at 2:10 am

Old bump but i had this problem too

to fix this:

smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject _unauth_destination

Reply

10 B SengUK August 12, 2009 at 9:52 pm

Already have all that in and more ….

smtpd_recipient_restrictions = reject_invalid_hostname reject_non_fqdn_sender reject_non_fqdn_recipient reject_unknown_sender_domain reject_unknown_recipient_domain permit_sasl_authenticated permit_mynetworks reject_unauth_destination reject_unknown_reverse_client_hostname

Reply

11 ddr-2kpp February 24, 2011 at 4:53 pm

great description, did use it at all, but extend it with
my policyd-config:

check_client_access hash:/etc/postfix/pop-before-smtp, reject_unauth_destination, check_policy_service inet:127.0.0.1:10031

Reply

Leave a Comment

You can use these HTML tags and attributes for your code and commands: <strong> <em> <ol> <li> <u> <ul> <blockquote> <pre> <a href="" title="">
What is 13 + 6 ?
Please leave these two fields as-is:
Solve the simple math so we know that you are a human and not a bot.




Tagged as: , , , , , , , , , , , ,

Previous post:

Next post: