Wiki Index All Recent Edit Bottom

PostfixSpamFilters

1.   Introduction
1.1   Client Restrictions
1.2   HELO Restirctions
1.3   Sender Restrictions
1.4   Recipient Restrictions
1.5   Data Restrictions
1.6   Header and Body Checks

Introduction

Using Postfix built in features you can stop a good deal of spam at the "front door". These are my Postfix Anti UCE settings, but they might not be suitable for everyone, read the pages referenced below to fully understand what this lot does.

Client Restrictions

/etc/postfix/main.cf

 # Client Restrictions
 smtpd_client_restrictions = 
         permit_mynetworks,
         permit_sasl_authenticated,
         check_client_access cdb:/etc/postfix/access/client_access.txt,
         permit

/etc/postfix/access/client_access.txt

 # After editing this file it needs hashing.
 #
 #   $ postmap cdb:/etc/postfix/filters/client_access.txt
 
 #.dynamic.hinet.net             REJECT Reason: Persistent Abuse
 .hotmail.com                    OK
 .yahoo.com                      OK
 .ebay.com                       OK
 .mm.ticketmaster.com            OK

HELO Restirctions

/etc/postfix/main.cf

 # HELO Restrictions
 smtpd_helo_restrictions = 
         permit_mynetworks,
         permit_sasl_authenticated,
         check_helo_access cdb:/etc/postfix/access/helo_access.txt,
         reject_invalid_helo_hostname,
         reject_non_fqdn_helo_hostname,
         warn_if_reject,
         reject_unknown_helo_hostname,
         permit

/etc/postfix/access/helo_access.txt

 # After editing this file it needs hashing.
 #
 #   $ postmap cdb:/etc/postfix/filters/helo_checks.txt
 
 # Reject anybody that HELO's as being in our own domain(s)
 flexion.org                     REJECT Bogus HELO. You are not from flexion.org
 mail.flexion.org                REJECT Bogus HELO. You are not from mail.flexion.org
 project-minerva.org             REJECT Bogus HELO. You are not from project-minerva.org
 project-minerva.com             REJECT Bogus HELO. You are not from project-minerva.com
 mail.project-minerva.org        REJECT Bogus HELO. You are not from mail.project-minerva.org
 mail.project-minerva.com        REJECT Bogus HELO. You are not from mail.project-minerva.com
 
 # Somebody HELO'ing with our IP address?
 81.174.191.117            REJECT Bogus HELO. Use your own IP address
 
 # Somebody HELO'ing as "localhost?"  Impossible, we're "localhost"
 localhost               REJECT Bogus HELO. You are not localhost
 localhost.localdomain   REJECT Bogus HELO. You are not localhost.localdomain
 ?localhost?             REJECT Bogus HELO. You are not ?localhost?

Sender Restrictions

/etc/postfix/main.cf

 # MAIL FROM: Restrictions
 smtpd_sender_restrictions =
         permit_mynetworks,
         permit_sasl_authenticated,
         reject_non_fqdn_sender,
         reject_unknown_sender_domain,
         check_sender_mx_access cidr:/etc/postfix/access/mx_access.txt,
         permit

/etc/postfix/access/mx_access.txt

 # This file DOES NOT need hashing
 
 # IP address Verisign returns for otherwise invalid .com and .net domains
 64.94.110.0/24  REJECT Verisign hijacked domain
 0.0.0.0/8       REJECT Domain MX in broadcast network
 10.0.0.0/8      REJECT Domain MX in RFC 1918 private network
 127.0.0.0/8     REJECT Domain MX in loopback network
 169.254.0.0/16  REJECT Domain MX in link local network
 172.16.0.0/12   REJECT Domain MX in RFC 1918 private network
 192.0.2.0/24    REJECT Domain MX in TEST-NET network
 192.168.0.0/16  REJECT Domain MX in RFC 1918 private network
 224.0.0.0/4     REJECT Domain MX in class D multicast network
 240.0.0.0/5     REJECT Domain MX in class E reserved network
 248.0.0.0/5     REJECT Domain MX in reserved network

Recipient Restrictions

/etc/postfix/main.cf

 # RCPT TO: Restrictions
 smtpd_recipient_restrictions =
         permit_mynetworks,
         permit_sasl_authenticated,
         reject_non_fqdn_recipient,
         reject_unknown_recipient_domain,
         check_recipient_mx_access cidr:/etc/postfix/access/mx_access.txt,
         reject_unauth_destination,
 #       check_recipient_access cdb:/etc/postfix/access/recipient_access.txt,
         reject_rbl_client zen.spamhaus.org,
         reject_rbl_client bl.spamcop.net,
         reject_rbl_client ubl.unsubscore.com,
         reject_rbl_client psbl.surriel.com,
         reject_rhsbl_client rhsbl.sorbs.net,
         reject_rhsbl_sender rhsbl.sorbs.net,
         permit

Data Restrictions

/etc/postfix/main.cf

 # DATA Restrictions
 smtpd_data_restrictions =
         permit_mynetworks,
         permit_sasl_authenticated,
         reject_unauth_pipelining,
         permit

Header and Body Checks

I remove '.em(ai)?l' and 'xl' from regexps in the files below.

/etc/postfix/main.cf

 # Header and Body checks
 header_checks = pcre:/etc/postfix/checks/header_checks.txt
 #mime_header_checks = regexp:/etc/postfix/checks/mime_header_checks.txt
 body_checks = pcre:/etc/postfix/checks/body_checks.txt

/etc/postfix/header_checks.txt

 wget http://jimsun.linxnet.com/misc/header_checks.txt -O /etc/postfix/checks/header_checks.txt

/etc/postfix/body_checks.txt

 wget http://jimsun.linxnet.com/misc/body_checks.txt -O /etc/postfix/checks/body_checks.txt

References

• http://www.akadia.com/services/postfix_uce.html
• http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt
• http://jimsun.linxnet.com/misc/header_checks.txt
• http://jimsun.linxnet.com/misc/body_checks.txt
• http://www.pantz.org/email/postfix/postfixconfigfiles.shtml
• http://www.lugatgt.org/articles/postfix/
• http://www.muine.org/~hoang/postfix.html

$Id: PostfixSpamFilters,v 1.10 2008/05/17 09:20:29 martin Exp $

Wiki Index All Recent Edit Top