Image

Knowledge base → Spam protection with Postfix

[Virtual servers]
Date of publication: 14.06.2023

The Postfix service configuration file allows you to fine-tune and reduce the amount of spam at the level of the service itself by your own means. In this guide, we will block mail from senders without a PTR record, with an incorrect greeting, and from DNSBL lists.

1. Let's add these settings to the configuration file (comment out the line):

nano /etc/postfix/main.cf

#smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination

Let's add the following configuration:

nano /etc/postfix/main.cf

smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_pipelining permit

smtpd_helo_restrictions = permit

smtpd_sender_restrictions = permit_mynetworks permit_sasl_authenticated reject_non_fqdn_sender reject_unknown_sender_domain permit

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination

smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_non_fqdn_recipient reject_unauth_destination reject_unknown_recipient_domain reject_unverified_recipient reject_unknown_client_hostname reject_invalid_helo_hostname reject_non_fqdn_helo_hostname reject_unknown_helo_hostname reject_rbl_client b.barracudacentral.org reject_rbl_client dnsbl.abuse.ch reject_rbl_client bl.spamcop.net reject_rbl_client dul.ru permit

smtpd_data_restrictions = permit

smtpd_end_of_data_restrictions = permit

To apply the settings, restart postfix:

systemctl restart postfix

By removing or adding rules, we can regulate the level of exactingness to the sender, for example, popular mail services for the most part accept mail with an incorrect server greeting and without matching the PTR record to MX. Below is a description of the settings:

  • permit_mynetworks — resolves all addresses listed in mynetworks settings. 
  • allow_sasl_authenticated - Allows requests from all successfully authenticated clients.
  • reject_unauth_pipelining — rejects pre-sent emails (skipping the correct SMTP session chain). 
  • reject_non_fqdn_sender — reject the connection if the sender address is invalid. 
  • reject_unknown_sender_domain — rejects the request if Postfix is not the final destination for the sender address while the MAIL FROM header does not have: a DNS MX record and a DNS A record. 
  • reject_non_fqdn_recipient — refuse the connection if the destination address is invalid. 
  • reject_unauth_destination — prohibits connection to the service without authorization.
  • reject_unknown_recipient_domain — reject the request if the sender's domain does not have records in DNS: MX and A. 
  • reject_unverified_recipient — reject the request if mail to the RCPT TO address is known to have been rejected or when the recipient's address is not available. 
  • reject_unknown_client_hostname — checks for the presence of the sender's PRT record and the presence of a working A-record in accordance with the PTR. 
  • reject_invalid_helo_hostname — checks the syntax of the HELO greeting. 
  • reject_non_fqdn_helo_hostname — requires a valid FQDN during a HELO hello.
  • reject_unknown_helo_hostname — forbids introducing names for which there is no A-record or MX. 
  • reject_rbl_client — checks if the sender is blacklisted.
  • permit - Allow the connection. It is present at the end of each block (if the letter does not fall under more than one ban rule, we deliver it).




No Comments Yet