Re: Postfix restrictions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

Am 07.06.2020 um 11:46 schrieb Nicolas Kovacs:

Hi,

I'm currently fine-tuning my mail server (Postfix and Dovecot on CentOS 7).

SPF, DKIM and DMARC work fine, now I'd like to limit the spam tsunami.

Besides the official Postfix documentation, I've read a few articles about
Postfix spam restrictions, namely these :

https://www.linuxbabe.com/mail-server/block-email-spam-postfix

https://wiki.centos.org/HowTos/postfix_restrictions

After some experimenting, here's what I currently have on my test server:

--8<----- /etc/postfix/main.cf -----------------------------
...
smtpd_helo_required = yes
smtpd_helo_restrictions =
   permit_mynetworks,
   permit_sasl_authenticated,
   check_helo_access hash:/etc/postfix/helo_access
   reject_invalid_helo_hostname,
   reject_non_fqdn_helo_hostname,
   reject_unknown_helo_hostname
smtpd_sender_restrictions =
   permit_mynetworks,
   permit_sasl_authenticated,
   check_sender_access hash:/etc/postfix/sender_access,
   reject_unknown_sender_domain,
   reject_unknown_reverse_client_hostname,
   reject_unknown_client_hostname
smtpd_recipient_restrictions =
   permit_mynetworks,
   permit_sasl_authenticated,
   check_client_access hash:/etc/postfix/rbl_override,
   reject_rhsbl_helo dbl.spamhaus.org,
   reject_rhsbl_reverse_client dbl.spamhaus.org,
   reject_rhsbl_sender dbl.spamhaus.org,
   reject_rbl_client zen.spamhaus.org
--8<--------------------------------------------------------

Before committing this configuration to my main server, I thought I'd share
this configuration on the list. Maybe the Postfix gurus among you have the odd
comment to make.

My aim is simply to eliminate as much spam as possible (that is, before adding
SpamAssassin) while keeping false positives to a minimum.

Any suggestions ?

Niki



Hi,

a few points:
- don't split up the smtpd_*_restrictions as shown above. It is simpler to maintain by keeping everything under smtpd_recipient_restrictions.
- use postscreen, it is a Postfix feature. That way relocate the RBL and RHSBL calls to postscreen in a weighted approach
- don't offer SMTP AUTH on smtp port 25. Offer submission (port 587) or submissions (465) or both for your known clients. That way you can much better control what's allowed on port 25.
- reject_non_fqdn_helo_hostname could lead to reject valid mail, use warn_if_reject for some time to check if that would be relevant for you. 

- don't make use of permit_mynetworks, control relaying by use of SMTP AUTH.

Alexander
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]

  Powered by Linux