Postfix: How to Limit Emails (en)

From OnnoWiki
Revision as of 06:13, 7 January 2025 by Onnowpurbo (talk | contribs) (Created page with "==Introduction== If you have followed the basic Postfix guide, you will have a simple Postfix email server that is capable of sending and receiving email. However, you might...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Introduction

If you have followed the basic Postfix guide, you will have a simple Postfix email server that is capable of sending and receiving email. However, you might notice that your Postfix server is receiving all email, including spam. Spam, also known as Unsolicited Bulk Email (UBE) or Unsolicited Commercial Email (UCE), constitutes more than 80% of all email sent over the Internet and presents a major challenge for any email administrator. This guide will explore some of the available restrictions in Postfix for combating spam. It is designed to be modular, allowing implementation alongside the basic Postfix guide if desired.

Postfix and Spam

The Internet is largely built on a policy of trust, which UBE abuses by delivering large amounts of spam. Imposing restrictions on email deviates from this trust policy and risks blocking legitimate emails. Therefore, we should apply restrictions conservatively and monitor them carefully. While users will appreciate less spam, they will not appreciate legitimate emails being blocked.

We will use three different Postfix restriction classes to scrutinize information provided by any connecting client:

  • `smtpd_helo_restrictions`
  • `smtpd_sender_restrictions`
  • `smtpd_recipient_restrictions`

Many spammers do not adhere closely to RFC guidelines, allowing us to use these restriction classes to identify and reject obvious spam before it enters our email server. This saves bandwidth and reduces processing overhead.

Helo Restrictions

When a client system connects to our email server, it must identify itself using the SMTP HELO command. Many spammers either skip this step, send invalid information, or obfuscate their identity. We can safely reject connections from clients that are severely misconfigured or are deliberately hiding their identity.

Example configuration in `/etc/postfix/main.cf`: 

# HELO restrictions:
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions =
    permit_mynetworks,
    reject_non_fqdn_helo_hostname,
    reject_invalid_helo_hostname,
    permit
  • `smtpd_delay_reject` allows the SMTP conversation to continue until the actual reception of the message before it is rejected.
  • `smtpd_helo_required` rejects emails from any system that fails to identify itself.
  • `reject_non_fqdn_helo_hostname` and `reject_invalid_helo_hostname` ensure that connections adhere to RFC-compliant hostnames.

Sender Restrictions

Next, we filter out invalid senders with sender restrictions: 

# Sender restrictions:
smtpd_sender_restrictions =
    permit_mynetworks,
    reject_non_fqdn_sender,
    reject_unknown_sender_domain,
    permit
  • These settings reject emails if the sender's email address is malformed or if the domain does not exist.
  • `permit_mynetworks` accepts emails from trusted local users, bypassing further sender restriction checks.

Recipient Restrictions

Finally, we check that the client has permission to send to the specified recipient and apply non-Postfix checks to messages that have passed previous filters: 

# Recipient restrictions:
smtpd_recipient_restrictions =
   reject_unauth_pipelining,
   reject_non_fqdn_recipient,
   reject_unknown_recipient_domain,
   permit_mynetworks,
   reject_unauth_destination,
   check_sender_access hash:/etc/postfix/sender_access,
   reject_rbl_client zen.spamhaus.org,
   reject_rbl_client bl.spamcop.net,
   check_policy_service unix:postgrey/socket,
   permit
  • `reject_unauth_pipelining` blocks bulk email software that improperly uses pipelining.
  • `reject_non_fqdn_recipient` and `reject_unknown_recipient_domain` block emails to non-existent or malformed domains.

Summary

This guide has shown how to use Postfix restrictions to reject mail from misconfigured clients or those with no legitimate reason to contact your server. The restrictions are conservative to avoid false positives and should integrate well into any Postfix setup. Proper configuration can block a significant portion of spam.

Acknowledgments

This article was inspired by and closely based on the guide by Kirk Strauser published under the "Attribution-Sharealike" Creative Commons License 2.5.

References

Retrieved from "https://onnocenter.or.id/wiki/index.php?title=Postfix:_How_to_Limit_Emails_(en)&oldid=71788"