Difference between revisions of "Block Spam Menggunakan Postfix"
Jump to navigation
Jump to search
Onnowpurbo (talk | contribs) |
Onnowpurbo (talk | contribs) |
||
Line 1: | Line 1: | ||
+ | Memblokir spam menggunakan spamassasin untuk 1000 mail / menit bisa membuat CPU tewas. Cara yang lebih cerdas untuk memblokir spam sebelum mencapai spamassasin adalah menggunakan RBL (Realtime Blacklists) dan RHBL (sama tapi beda dengan RBL), Greylistings dan Helo Checks. | ||
+ | |||
+ | Kita ubah sedikit konfigurasi /etc/postfix/main.cf agar menambahkan pertahanan di smtpd dan cek seluruh host, | ||
+ | |||
+ | ### Checks to remove badly formed email | ||
+ | smtpd_helo_required = yes | ||
+ | strict_rfc821_envelopes = yes | ||
+ | disable_vrfy_command = yes | ||
+ | unknown_address_reject_code = 554 | ||
+ | unknown_hostname_reject_code = 554 | ||
+ | unknown_client_reject_code = 554 | ||
+ | smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, regexp:/etc/postfix/helo.regexp, permit | ||
+ | |||
+ | ### When changing sender_checks, this file must be regenerated using postmap <file>, to generate a Berkeley DB | ||
+ | smtpd_recipient_restrictions = | ||
+ | check_client_access hash:/etc/postfix/helo_client_exceptions | ||
+ | check_sender_access hash:/etc/postfix/sender_checks, | ||
+ | reject_invalid_hostname, | ||
+ | ### Can cause issues with Auth SMTP, so be weary! | ||
+ | reject_non_fqdn_hostname, | ||
+ | ################################## | ||
+ | reject_non_fqdn_sender, | ||
+ | reject_non_fqdn_recipient, | ||
+ | reject_unknown_sender_domain, | ||
+ | reject_unknown_recipient_domain, | ||
+ | permit_mynetworks, | ||
+ | reject_unauth_destination, | ||
+ | |||
+ | # Add RBL exceptions here, when changing rbl_client_exceptions, this | ||
+ | # file must be regenerated using postmap <file>, to generate a Berkeley DB | ||
+ | |||
+ | check_client_access hash:/etc/postfix/rbl_client_exceptions, | ||
+ | reject_rbl_client cbl.abuseat.org, | ||
+ | reject_rbl_client sbl-xbl.spamhaus.org, | ||
+ | reject_rbl_client bl.spamcop.net, | ||
+ | reject_rhsbl_sender dsn.rfc-ignorant.org, | ||
+ | check_policy_service inet:127.0.0.1:60000 | ||
+ | permit | ||
+ | |||
+ | |||
+ | Kita perlu membuat file baru | ||
+ | |||
+ | vi /etc/postfix/helo.regexp | ||
+ | |||
+ | /^subdomain\.host\.com$/ 550 Don't use my own hostname | ||
+ | /^xxx\.yyy\.zzz\.xxx$/ 550 Don't use my own IP address | ||
+ | /^\[xxx\.yyy\.zzz\.xxx\]$/ 550 Don't use my own IP address | ||
+ | /^[0-9.]+$/ 550 Your software is not RFC 2821 compliant | ||
+ | /^[0-9]+(\.[0-9]+){3}$/ 550 Your software is not RFC 2821 compliant | ||
+ | |||
+ | Dengan cara ini lumayan untuk membuang spammer yang berusaha mengirim perintah helo dengan [[IP address]], hostname yang kacau yang tidak memenuhi RFC 2821. | ||
+ | |||
+ | ==Cara yang lebih sederhana== | ||
+ | |||
Untuk memblok [[mail spam]] menggunakan postfix dapat ditambahkan baris berikut di | Untuk memblok [[mail spam]] menggunakan postfix dapat ditambahkan baris berikut di | ||
/etc/postfix/main.cf | /etc/postfix/main.cf | ||
Line 23: | Line 77: | ||
permit | permit | ||
+ | |||
+ | ==Referensi== | ||
+ | |||
+ | * http://www.howtoforge.com/virtual_postfix_antispam | ||
==Pranala Menarik== | ==Pranala Menarik== |
Latest revision as of 08:51, 2 January 2011
Memblokir spam menggunakan spamassasin untuk 1000 mail / menit bisa membuat CPU tewas. Cara yang lebih cerdas untuk memblokir spam sebelum mencapai spamassasin adalah menggunakan RBL (Realtime Blacklists) dan RHBL (sama tapi beda dengan RBL), Greylistings dan Helo Checks.
Kita ubah sedikit konfigurasi /etc/postfix/main.cf agar menambahkan pertahanan di smtpd dan cek seluruh host,
### Checks to remove badly formed email smtpd_helo_required = yes strict_rfc821_envelopes = yes disable_vrfy_command = yes unknown_address_reject_code = 554 unknown_hostname_reject_code = 554 unknown_client_reject_code = 554 smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, regexp:/etc/postfix/helo.regexp, permit
### When changing sender_checks, this file must be regenerated using postmap <file>, to generate a Berkeley DB smtpd_recipient_restrictions = check_client_access hash:/etc/postfix/helo_client_exceptions check_sender_access hash:/etc/postfix/sender_checks, reject_invalid_hostname, ### Can cause issues with Auth SMTP, so be weary! reject_non_fqdn_hostname, ################################## reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, permit_mynetworks, reject_unauth_destination,
# Add RBL exceptions here, when changing rbl_client_exceptions, this # file must be regenerated using postmap <file>, to generate a Berkeley DB
check_client_access hash:/etc/postfix/rbl_client_exceptions, reject_rbl_client cbl.abuseat.org, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rhsbl_sender dsn.rfc-ignorant.org, check_policy_service inet:127.0.0.1:60000 permit
Kita perlu membuat file baru
vi /etc/postfix/helo.regexp
/^subdomain\.host\.com$/ 550 Don't use my own hostname /^xxx\.yyy\.zzz\.xxx$/ 550 Don't use my own IP address /^\[xxx\.yyy\.zzz\.xxx\]$/ 550 Don't use my own IP address /^[0-9.]+$/ 550 Your software is not RFC 2821 compliant /^[0-9]+(\.[0-9]+){3}$/ 550 Your software is not RFC 2821 compliant
Dengan cara ini lumayan untuk membuang spammer yang berusaha mengirim perintah helo dengan IP address, hostname yang kacau yang tidak memenuhi RFC 2821.
Cara yang lebih sederhana
Untuk memblok mail spam menggunakan postfix dapat ditambahkan baris berikut di /etc/postfix/main.cf
check_helo_access hash:/etc/postfix/maps/helo_access, reject_rhsbl_sender cbl.abuseat.org, reject_rhsbl_sender dnsbl.njabl.org, reject_rhsbl_sender list.dsbl.org, reject_rhsbl_sender bl.spamcop.net, reject_rhsbl_sender cbl.abuseat.org, reject_rhsbl_sender dul.dnsbl.sorbs.net, reject_rhsbl_sender rhsbl.sorbs.net, permit
smtpd_client_restrictions= reject_rbl_client cbl.abuseat.org, reject_rbl_client dnsbl.njabl.org, reject_rbl_client list.dsbl.org, reject_rbl_client bl.spamcop.net, reject_rbl_client cbl.abuseat.org, reject_rbl_client dul.dnsbl.sorbs.net, reject_rbl_client rhsbl.sorbs.net, permit_mynetworks, permit