The Postfix service configuration file allows you to fine-tune and reduce the amount of spam at the level of the service itself by your own means. In this guide, we will block mail from senders without a PTR record, with an incorrect greeting, and from DNSBL lists.
1. Let's add these settings to the configuration file (comment out the line):
nano /etc/postfix/main.cf
#smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
Let's add the following configuration:
nano /etc/postfix/main.cf
smtpd_client_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_pipelining
permit
smtpd_helo_restrictions =
permit
smtpd_sender_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_non_fqdn_sender
reject_unknown_sender_domain
permit
smtpd_relay_restrictions =
permit_mynetworks
permit_sasl_authenticated
defer_unauth_destination
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_non_fqdn_recipient
reject_unauth_destination
reject_unknown_recipient_domain
reject_unverified_recipient
reject_unknown_client_hostname
reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname
reject_unknown_helo_hostname
reject_rbl_client b.barracudacentral.org
reject_rbl_client dnsbl.abuse.ch
reject_rbl_client bl.spamcop.net
reject_rbl_client dul.ru
permit
smtpd_data_restrictions =
permit
smtpd_end_of_data_restrictions =
permit
To apply the settings, restart postfix:
systemctl restart postfix
By removing or adding rules, we can regulate the level of exactingness to the sender, for example, popular mail services for the most part accept mail with an incorrect server greeting and without matching the PTR record to MX. Below is a description of the settings:
- permit_mynetworks — resolves all addresses listed in mynetworks settings.
- allow_sasl_authenticated - Allows requests from all successfully authenticated clients.
- reject_unauth_pipelining — rejects pre-sent emails (skipping the correct SMTP session chain).
- reject_non_fqdn_sender — reject the connection if the sender address is invalid.
- reject_unknown_sender_domain — rejects the request if Postfix is not the final destination for the sender address while the MAIL FROM header does not have: a DNS MX record and a DNS A record.
- reject_non_fqdn_recipient — refuse the connection if the destination address is invalid.
- reject_unauth_destination — prohibits connection to the service without authorization.
- reject_unknown_recipient_domain — reject the request if the sender's domain does not have records in DNS: MX and A.
- reject_unverified_recipient — reject the request if mail to the RCPT TO address is known to have been rejected or when the recipient's address is not available.
- reject_unknown_client_hostname — checks for the presence of the sender's PRT record and the presence of a working A-record in accordance with the PTR.
- reject_invalid_helo_hostname — checks the syntax of the HELO greeting.
- reject_non_fqdn_helo_hostname — requires a valid FQDN during a HELO hello.
- reject_unknown_helo_hostname — forbids introducing names for which there is no A-record or MX.
- reject_rbl_client — checks if the sender is blacklisted.
- permit - Allow the connection. It is present at the end of each block (if the letter does not fall under more than one ban rule, we deliver it).