When i first setup the server Basic Server setup using virtualmin i used the basic setting for postfix but soon found that i could reduce the amount of spam and load on the server by rejecting it before accepting it, i will do this by forcing mail servers that wanna deliver mail to me to be configured correctly and by using a few RBL (Real-time Blacklists).
Since i use Webmin i just navigate to “servers”, “Posfix Mail server” then click “Edit Config Files” or manually edit “/etc/postfix/main.cf”
Below is part of my new config file – obviously change the IP’s to your IP’s and the domains to yours.
######################################################## inet_protocols = all inet_interfaces = 127.0.0.1, 192.168.0.200, [2001:470:1f09:d2b::220], [::1] smtp_bind_address = 192.168.0.200 smtp_bind_address6 = [2001:470:1f09:d2b::220] myorigin = $mydomain mynetworks = 127.0.0.0/8, 192.168.0.200, [2001:470:1f09:d2b::/64], [::1/128] myhostname = mail.example.com mydomain = example.com mydestination = $myhostname, $mydomain, localhost.$mydomain, localhost virtual_alias_maps = hash:/etc/postfix/virtual sender_bcc_maps = hash:/etc/postfix/bcc mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME home_mailbox = Maildir/ smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes smtpd_recipient_restrictions = permit_mynetworks, permit_inet_interfaces, permit_sasl_authenticated, reject_unauth_pipelining, reject_invalid_hostname, reject_non_fqdn_hostname, reject_unknown_recipient_domain, reject_unauth_destination, reject_rbl_client dnsbl.sorbs.net, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, permit mailbox_size_limit = 0 smtpd_delay_reject = yes smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, permit smtpd_sender_restrictions =permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain, permit smtpd_client_restrictions = permit_tls_all_clientcerts, reject_unauth_pipelining 2bounce_notice_recipient = firstname.lastname@example.org error_notice_recipient = email@example.com bounce_notice_recipient = firstname.lastname@example.org smtpd_sasl_local_domain = smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = yes smtpd_sasl_authenticated_header = yes smtp_use_tls = yes smtpd_tls_auth_only = no smtp_tls_note_starttls_offer = yes smtpd_use_tls = yes smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom disable_vrfy_command = yes unknown_client_reject_code = 550 unknown_hostname_reject_code = 550 unknown_address_reject_code = 550 myorigin = $mydomain smtpd_tls_cert_file = /etc/postfix/postfix.cert.pem smtpd_tls_key_file = /etc/postfix/postfix.key.pem smtpd_tls_security_level = may smtpd_tls_mandatory_ciphers = high message_size_limit = 40960000 header_size_limit = 402400 maximal_queue_lifetime = 1d smtpd_tls_CAfile = /etc/postfix/postfix.ca.pem
some people might say this is quite restrictive as it will block any mail server that is mis-configured or using a dynamic ip, or been blocked for sending spam but i have found it blocks 95% of the spam i was receiving beforehand without using a spam filter (thus reducing the load on the server) and i haven’t seen any downsides as all legit mail is getting through fine.
I’ll try and explain what the main changes are. There are 3 main sections I changed “smtpd_helo_restrictions”, “smtpd_sender_restrictions” and “smtpd_recipient_restrictions”
This allows my networks and users that have authenticated themselves to connect but blocks any servers that haven’t configured a valid hostname for there mail server (should always use a proper domain name i.e. myhostname = mail.example.com) and also stops people trying to relay mail through my server.
smtpd_sender_restrictions =permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain, permit
When mail servers communicate with each other they say hello and identify themselves, this setting allows my networks to connect but blocks any servers that haven’t configured a valid hostname for there mail server (should always use a proper domain name i.e. myhostname = mail.example.com)
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, permit
This setting does the same as the above commands except it rejects mail servers that have been listed on RBL (Real-time Blacklists) you can google for more RBL lists but these do just fine for me.
smtpd_recipient_restrictions = permit_mynetworks, permit_inet_interfaces, permit_sasl_authenticated, reject_unauth_pipelining, reject_non_fqdn_hostname, reject_unknown_recipient_domain, reject_unauth_destination, reject_invalid_hostname, reject_rbl_client dnsbl.sorbs.net, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, permit
I use dnsbl.sorbs.net, zen.spamhaus.org and bl.spamcop.net
If you want a more detailed explanation of what each option does have a read of Postfix Configuration Parameters it lists every option going.
I have also setup SPF checking and a white-list just in-case a valid email server gets on the RBL list but will explain that in another blog.