HOWTO Stop spam using Postfix
Postfix is a Mail Transfer Agent which is used by many to accept and deliver mail. It can, and should, also be used to select which of the incoming mails should be rejected because they are in violation of your best interest.
Step 1: DNSBL lists
DNSBL lists are lists which can be configured in Postfix's main.cf which are looked up when a mail is recieved. If the IP is listed in the DNS blacklist then the mail is rejected. There are several good lists out there, see Spam blacklists for a review of the various choices.
You can list them under smtpd_recipient_restrictions = with the directive reject_rbl_client, for example:
smtpd_recipient_restrictions =
permit_sasl_authenticated,
(...),
reject_rbl_client multihop.dsbl.org,
(...),
permit
There's also another way of doing it - which will be removed - you can list the DNSBL's under maps_rbl_domains and just add reject_maps_rbl to smtpd_recipient_restrictions:
maps_rbl_domains = zen.spamhaus.org,
dnsbl.sorbs.net,
list.dsbl.org,
bl.spamcop.net,
cbl.abuseat.org
smtpd_recipient_restrictions =
(...),
reject_maps_rbl,
permit
Postfix screams WARNING!! WARNING!! when this configuration method is used: "warning: support for restriction "reject_maps_rbl" will be removed from Postfix; use "reject_rbl_client domain-name" instead". It works. It may not work in future (after mail-mta/postfix-2.3.6..) versions.
Step 2: Common non-correct configurations
There are several issues with rejecting non-correct configurations, first of all, many legitimate mailservers are misconfigured. However, preventing misconfigured servers does also prevent a whole lot of spam mail.
The first measure you may want is to reject MTA software which doesn't even say hello. AFAIK the only MTA software which doesn't do this is only used for spam.
smtpd_helo_required = yes
(Please correct if there is a commonly used mail program which doesn't say hello).
It's generally polite to say who the mail is from. Again, very few real mail do not have a return address, most who don't are spam.
smtpd_sender_restrictions = reject_unknown_address
The next measures go under smtpd_recipient_restrictions = .
Reject mail which doesn't have a valid to and from domain:
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
Reject mail where there is no known sender or reciever domain:
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
Reject pipelinging and other than local destinations by unautorized users:
reject_unauth_pipelining,
reject_unauth_destination,
You may also want also want to reject_invalid_hostname and reject_non_fqdn_hostname under smtpd_recipient_restrictions.
The above can be used for a complete anti-spam configuration like this:
smtpd_helo_required = yes
smtpd_sender_restrictions = reject_unknown_address
smtpd_recipient_restrictions =
# The next line is only for master MX's,
# omit it on secondary MX.
permit_sasl_authenticated,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
- Check postfix man for the next line. Its usage is not recommended in contexts other than smtpd_data_restrictions
reject_unauth_pipelining,
permit_mynetworks,
reject_unauth_destination,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client list.dsbl.org,
permit
Note: Do not use opm.blitzed.org and sbl.spamhaus.org, use sbl-xbl.spamhaus.org..
Step 3: Use amavisd, spamassassin, etc
Postfix can optionally hand mail over to another program which checks the mail for spam and then hands it back to Postfix. amavisd-new is a great program which can run all sorts of things before handing the mail back to postfix for delivery.
A note on SpamAssassin
SpamAssassin can also do DNSBL checks.
You will want to switch off it's DNSBL checking if you already setup Postfix to do so - or they will be done twice.
- See also: Mail Spam Blacklists