Block Spam Using Postfix (en)
Revision as of 06:49, 4 January 2025 by Onnowpurbo (talk | contribs) (Created page with "Blocking spam using SpamAssassin for 1000 emails/minute can overload the CPU. A smarter way to block spam before it reaches SpamAssassin is using RBL (Realtime Blacklists) and...")
Blocking spam using SpamAssassin for 1000 emails/minute can overload the CPU. A smarter way to block spam before it reaches SpamAssassin is using RBL (Realtime Blacklists) and RHBL (similar but different from RBL), Greylisting, and HELO checks.
We slightly modify the configuration in /etc/postfix/main.cf to add defenses at smtpd and check all hosts:
### Checks to remove badly formed email smtpd_helo_required = yes strict_rfc821_envelopes = yes disable_vrfy_command = yes unknown_address_reject_code = 554 unknown_hostname_reject_code = 554 unknown_client_reject_code = 554 smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, regexp:/etc/postfix/helo.regexp, permit
### When changing sender_checks, this file must be regenerated using postmap <file>, to generate a Berkeley DB
smtpd_recipient_restrictions =
check_client_access hash:/etc/postfix/helo_client_exceptions
check_sender_access hash:/etc/postfix/sender_checks,
reject_invalid_hostname,
### Can cause issues with Auth SMTP, so be weary!
reject_non_fqdn_hostname,
##################################
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
permit_mynetworks,
reject_unauth_destination,
# Add RBL exceptions here, when changing rbl_client_exceptions, this # file must be regenerated using postmap <file>, to generate a Berkeley DB
check_client_access hash:/etc/postfix/rbl_client_exceptions,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client sbl-xbl.spamhaus.org,
reject_rbl_client bl.spamcop.net,
reject_rhsbl_sender dsn.rfc-ignorant.org,
check_policy_service inet:127.0.0.1:60000
permit
We need to create a new file:
vi /etc/postfix/helo.regexp
/^subdomain\.host\.com$/ 550 Don't use my own hostname
/^xxx\.yyy\.zzz\.xxx$/ 550 Don't use my own IP address
/^\[xxx\.yyy\.zzz\.xxx\]$/ 550 Don't use my own IP address
/^[0-9.]+$/ 550 Your software is not RFC 2821 compliant
/^[0-9]+(\.[0-9]+){3}$/ 550 Your software is not RFC 2821 compliant
This way is quite effective in discarding spammers who try to send HELO commands with chaotic IP address or hostname that do not comply with RFC 2821.
A simpler way
To block mail spam using postfix, add the following lines in /etc/postfix/main.cf:
check_helo_access hash:/etc/postfix/maps/helo_access, reject_rhsbl_sender cbl.abuseat.org, reject_rhsbl_sender dnsbl.njabl.org, reject_rhsbl_sender list.dsbl.org, reject_rhsbl_sender bl.spamcop.net, reject_rhsbl_sender cbl.abuseat.org, reject_rhsbl_sender dul.dnsbl.sorbs.net, reject_rhsbl_sender rhsbl.sorbs.net, permit smtpd_client_restrictions= reject_rbl_client cbl.abuseat.org, reject_rbl_client dnsbl.njabl.org, reject_rbl_client list.dsbl.org, reject_rbl_client bl.spamcop.net, reject_rbl_client cbl.abuseat.org, reject_rbl_client dul.dnsbl.sorbs.net, reject_rbl_client rhsbl.sorbs.net, permit_mynetworks, permit