Skip to content

Adapted Postfix configuration to block typical spam sending#165

Merged
tomav merged 2 commits intodocker-mailserver:v2from
stonemaster:postfix-spam
Apr 27, 2016
Merged

Adapted Postfix configuration to block typical spam sending#165
tomav merged 2 commits intodocker-mailserver:v2from
stonemaster:postfix-spam

Conversation

@stonemaster
Copy link
Copy Markdown
Contributor

@stonemaster stonemaster commented Apr 27, 2016

mail servers using an enhanced client, sender and helo
restriction configuration.

The configuration has been adapted using this blog post:
https://www.webstershome.co.uk/2014/04/07/postfix-blocking-spam-enters-server/

Basically mail servers having invalid configuration (as e.g. sending
from and dynamic IP or a misconfigured hostname) will have their
mails rejected.

Additionnally three RBL servers are used to detect spam sending
IPs: dnsbl.sorbs.net, zen.spamhaus.org and bl.spamcop.net.

The results of a 12h test drive using a 100+ daily spam
mail account (SpamAssasin was always enabled, just counting
delivered mails to inbox not counting what SA detected):

  • Before: 34 incoming mails
  • Afer change: 6 incoming mails (82% reduction)

Fixes #161.

@stonemaster
Adapted Postfix configuration to block typical spam sending
a9c4bb3 
mail servers using an enhanced client, sender and helo
restriction configuration.

The configuration has been adapted using this blog post:
https://www.webstershome.co.uk/2014/04/07/postfix-blocking-spam-enters-server/

Basically mail servers having invalid configuration (as e.g. sending
from and dynamic IP or a misconfigured hostname) will have their
mails rejected.

Additionnally three RBL servers are used to detect spam sending
IPs: dnsbl.sorbs.net, zen.spamhaus.org and bl.spamcop.net.

The results of a 12h test drive using a 100+ daily spam
mail account (SpamAssasin was always enabled, just counting
delivered mails to inbox not counting what SA detected):
- Before: 34 incoming mails
- Afer change: 6 incoming mails (82% reduction)

Fixes #161.
tomav
tomav reviewed Apr 27, 2016
View reviewed changes
Comment thread target/postfix/main.cf Outdated
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, permit
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination,
reject_unauth_pipelining, reject_invalid_hostname, reject_non_fqdn_hostname, reject_unknown_recipient_domain,
Copy link
Copy Markdown
Contributor

@tomav tomav Apr 27, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

reject_non_fqdn_hostname is for postfix <2.3 no? It should be reject_non_fqdn_helo_hostname.

Same for reject_invalid_hostname => reject_invalid_helo_hostname

Have a look to http://www.postfix.org/postconf.5.html

@tomav
Copy link
Copy Markdown
Contributor

tomav commented Apr 27, 2016

Hi @stonemaster, thank you for this enhancement on postfix configuration.
I commented your commit because I think that some of postconf keys are for postfix <2.3
Could you please have a look to http://www.postfix.org/postconf.5.html ?

Thank you.

@tomav
Copy link
Copy Markdown
Contributor

tomav commented Apr 27, 2016

Regarding the tests and CI, don't worry it happen often on this test.

not ok 10 checking imap: server is ready with STARTTLS
# (in test file test/tests.bats, line 56)
#   `[ "$status" -eq 0 ]' failed

I'll have to find the reason. When you'll submit your modification, tests will be restarted.

@tomav tomav added the wip label Apr 27, 2016
@stonemaster
Postfix: reject_invalid_hostname configuration option changed to reje…
09f9e8e 
…ct_invalid_helo_hostname string which is

the "modern" Postfix variant since version >=2.3. (same for non_fqdn_hostname)
@stonemaster
Copy link
Copy Markdown
Contributor Author

stonemaster commented Apr 27, 2016

Thanks for the review! That's a nice catch. I have been using those hostname* configuration options since ever and never noticed that have been deprecated for ages :-) It's funny though that nearly every blog post on anti-spam postfix configuration uses the deprecated configuration options. I also checked that the other options are recent and not deprecated.

@tomav tomav merged commit 1a77cb7 into docker-mailserver:v2 Apr 27, 2016
@tomav
Copy link
Copy Markdown
Contributor

tomav commented Apr 27, 2016

Thank you @stonemaster !

@tomav tomav removed the wip label Apr 27, 2016
RichardFevrier pushed a commit to RichardFevrier/docker-mailserver that referenced this pull request Aug 26, 2019
@tomav
Merge pull request docker-mailserver#165 from stonemaster/postfix-spam
168011c 
Adapted Postfix configuration to block typical spam sending
@polarathene polarathene mentioned this pull request Feb 9, 2023
Merged
7 tasks
This was referenced Dec 27, 2023
Merged
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@stonemaster @tomav