Submitted by paul on Fri, 02/04/2010 - 02:33
When i first setup the server part 1 and part 2 i used the basic setting for postfix but soon found that i could reduce the amount of spam and load on the server by rejecting it before accepting it, i will do this by forcing mail servers that wanna deliver mail to me to be configured correctly and by using a few RBL (Real-time Blacklists).
Since i use Webmin i just navigate to "servers", "Posfix Mail server" then click "Edit Config Files" or manually edit "/etc/postfix/main.cf"
Below is my new config file - obviously change the IP's to your IP's and the domains to yours.
######################################################## inet_protocols = all inet_interfaces = 127.0.0.1, 192.168.0.200, [2001:470:1f09:d2b::220], [::1] smtp_bind_address = 192.168.0.200 smtp_bind_address6 = [2001:470:1f09:d2b::220] myorigin = $mydomain mynetworks = 127.0.0.0/8, 192.168.0.200, [2001:470:1f09:d2b::/64], [::1/128] myhostname = mail.example.com mydomain = example.com mydestination = $myhostname, $mydomain, localhost.$mydomain, localhost virtual_alias_domains = example.co.uk, example2.com, example3.com, example2.co.uk virtual_alias_maps = hash:/etc/postfix/virtual smtpd_delay_reject = yes smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_hostname, reject_invalid_hostname, permit smtpd_sender_restrictions =permit_sasl_authenticated, permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit smtpd_recipient_restrictions = permit_mynetworks, permit_inet_interfaces, permit_sasl_authenticated, reject_unauth_pipelining, reject_invalid_hostname, reject_non_fqdn_hostname, reject_unknown_recipient_domain, reject_unauth_destination, reject_rbl_client dnsbl.sorbs.net, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, permit policyd-spf_time_limit = 3600 smtpd_client_restrictions = permit_tls_all_clientcerts, reject_unauth_pipelining 2bounce_notice_recipient = webmaster@example.com error_notice_recipient = webmaster@example.com bounce_notice_recipient = webmaster@example.com smtpd_sasl_local_domain = smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = yes smtpd_sasl_authenticated_header = yes smtpd_tls_key_file = /etc/postfix/ssl/key.pem smtpd_tls_cert_file = /etc/postfix/ssl/mail.example.com.pem smtpd_tls_CAfile = /etc/postfix/ssl/sub.class1.server.ca.pem smtpd_error_sleep_time = 5s smtp_use_tls = yes smtpd_tls_auth_only = no smtp_tls_note_starttls_offer = yes smtpd_use_tls = yes smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom disable_vrfy_command = yes unknown_client_reject_code = 550 unknown_hostname_reject_code = 550 unknown_address_reject_code = 550
some people might say this is quite restrictive as it will block any mail server that is mis-configured or using a dynamic ip, or been blocked for sending spam but i have found it blocks 95% of the spam i was receiving beforehand without using a spam filter (thus reducing the load on the server) and i haven't seen any downsides as all legit mail is getting through fine.
I'll try and explain what the main changes are. There are 3 main sections I changed "smtpd_helo_restrictions", "smtpd_sender_restrictions" and "smtpd_recipient_restrictions"
smtpd_sender_restrictions =permit_sasl_authenticated, permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit
This allows my networks and users that have authenticated themselves to connect but blocks any servers that haven't configured a valid hostname for there mail server (should always use a proper domain name i.e. myhostname = mail.example.com) and also stops people trying to relay mail through my server.
smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_hostname, reject_invalid_hostname, permit
When mail servers communicate with each other they say hello and identify themselves, this setting allows my networks to connect but blocks any servers that haven't configured a valid hostname for there mail server (should always use a proper domain name i.e. myhostname = mail.example.com)
smtpd_recipient_restrictions = permit_mynetworks, permit_inet_interfaces, permit_sasl_authenticated, reject_unauth_pipelining, reject_non_fqdn_hostname, reject_unknown_recipient_domain, reject_unauth_destination, reject_invalid_hostname, reject_rbl_client dnsbl.sorbs.net, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, permit
This setting does the same as the above commands except it rejects mail servers that have been listed on RBL (Real-time Blacklists) you can google for more RBL lists but these do just fine for me.
I use dnsbl.sorbs.net, zen.spamhaus.org and bl.spamcop.net
If you want a more detailed explanation of what each option does have a read of Postfix Configuration Parameters it lists every option going.
I have also setup SPF checking and a white-list just in-case a valid email server gets on the RBL list but will explain that in another blog.
- paul's blog
- 3160 reads
- Link to this blog
