Blocking spammers with Postfix alone

The battle between email admins and spammers is an ongoing arms race. The spammers are at a disadvantage because by and large, they have to rely on exploiting vulnerable systems to send their mail. With the ever growing size of botnets, they have a pretty large pool of exploited systems to send from, but Postfix can be configured to weed out most of that.

I’ve used the following configuration for many systems that were being plagued by spam problems. In many cases, SpamAssassin was doing the job, but it was having to process so much junk that it was putting an amazing amount of load on the server. After adding this to the Postfix configuration, Postfix was able to reject mail before it came into the queue, thereby reducing the amount of mail that made it through to SpamAssassin.

Add to /etc/postfix/main.cf

smtpd_delay_reject = yes
smtpd_helo_required = yes
disable_vrfy_command = yes

smtpd_helo_restrictions =
     permit_mynetworks,
     reject_non_fqdn_helo_hostname,
     reject_invalid_helo_hostname,
     #reject_unknown_helo_hostname,
     permit

smtpd_sender_restrictions =
     permit_sasl_authenticated,
     permit_mynetworks,
     reject_non_fqdn_sender,
     reject_unknown_sender_domain,
     permit

smtpd_client_restrictions =
     permit_mynetworks,
     permit_sasl_authenticated,
     reject_unauth_pipelining,
     reject_rbl_client bl.spamcop.net,
     reject_rbl_client zen.spamhaus.org,
     permit

smtpd_recipient_restrictions =
     permit_mynetworks,
     permit_sasl_authenticated,
     check_recipient_access hash:/etc/postfix/denied_recipients,
     reject_non_fqdn_recipient,
     reject_unknown_recipient_domain,
     reject_unauth_destination,
     permit

On average, only about two or three spam messages a day actually get accepted for delivery, which SpamAssassin then handles appropriately.

Updated 20 May 2010 As I pointed out in my post on whitelisting Facebook, I updated my restrictions configuration, putting my RBL checks under smtpd_client_restrictions instead of smtpd_recipient_restrictions.

Tags: spam

This entry was posted on Sunday, March 8th, 2009 at 10:00 and is filed under Postfix. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Comments (2)
Trackbacks

My address IS valid, Facebook! | rugmonster.org says:

04 May 2010 at 21:59

[...] you happened to have seen my previous post, Blocking spammers with Postfix alone, you saw that I use SpamCop for one of my RBLs. It’s worked great for years. My whole setup [...]

Reply
Blocking Spam With Postfix - Ramblings from MostlyChris says:

27 December 2011 at 08:22

[...] I stole this from Here. [...]

Reply

rugmonster.org

Blocking spammers with Postfix alone

Leave a Reply

Meta