Blocking spammers with Postfix alone
The battle between email admins and spammers is an ongoing arms race. The spammers are at a disadvantage because by and large, they have to rely on exploiting vulnerable systems to send their mail. With the ever growing size of botnets, they have a pretty large pool of exploited systems to send from, but Postfix can be configured to weed out most of that.
I’ve used the following configuration for many systems that were being plagued by spam problems. In many cases, SpamAssassin was doing the job, but it was having to process so much junk that it was putting an amazing amount of load on the server. After adding this to the Postfix configuration, Postfix was able to reject mail before it came into the queue, thereby reducing the amount of mail that made it through to SpamAssassin.
Add to /etc/postfix/main.cf
smtpd_delay_reject = yes smtpd_helo_required = yes disable_vrfy_command = yes smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname, permit smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, reject_rbl_client bl.spamcop.net, reject_rbl_client zen.spamhaus.org, permit
On average, only about two or three spam messages a day actually get accepted for delivery, which SpamAssassin then handles appropriately. You can see some stats on how well this is working through my Postfix stats*.
* I just started tracking the stats, so they may not show much depending on when you’re getting here.