Postfix: Optimising order of spam checks?

spam postfix

I have a mail server (postfix v3.3) on a VPS running Ubuntu 18.04, processing both inbound and outbound mail (I have some websites sending mail, and some SASL auth users with accounts on the machine) with various systems: rate limiting as well as RBL, DKIM, SPF and virus checking using Amavis and Spamassassin.

However, it's hard to know where to put checks in so they only kick in when other less expensive ones have run while still retaining protection. I'm thinking of configuring main.cf like this, does it look sane? In terms of putting the least expensive checks first, should I be putting more checks in smtpd_client_restrictions, for example (since I assume these would run before, say, smtpd_sender_restrictions)?

disable_vrfy_command = yes
smtpd_helo_required = yes

smtpd_client_restrictions = 
        check_client_access hash:/etc/postfix/blacklist, 
        permit_mynetworks
 
smtpd_helo_restrictions =
        reject_invalid_helo_hostname
 
smtpd_sender_restrictions =
        # Filter through Amavis + spamassassin:
        check_client_access cidr:/etc/postfix/internal_clients_filter,
        permit_mynetworks,
        reject_unknown_reverse_client_hostname,
        reject_non_fqdn_sender,
        reject_unknown_sender_domain

smtpd_recipient_restrictions =

smtpd_relay_restrictions =
        permit_mynetworks,
        # Rate limiting + geolimiting with postfwd
        # See https://github.com/Vnet-as/postfwd-anti-geoip-spam-plugin
        check_policy_service inet:127.0.0.1:10040,
        permit_sasl_authenticated,
        reject_unknown_recipient_domain,
        reject_non_fqdn_recipient,
        reject_unlisted_recipient,
        reject_unauth_destination,
        # Sender scoring https://github.com/DavidGoodwin/policyd-dnsbl-spf-geoip/blob/master/README.md 
        check_policy_service unix:private/senderCheck,
        permit_mx_backup

smtpd_data_restrictions =
        reject_unauth_pipelining

The tests are fired in the order they are specified in the comma separated list: if a test results in either permit or reject, all the other tests are omitted. This is how you can omit the more expensive tests if the less expensive are sufficient for the decision. From Getting selective with SMTP access restriction lists:

Each restriction list is evaluated from left to right until some restriction produces a result of PERMIT, REJECT or DEFER (try again later). The end of each list is equivalent to a PERMIT result. By placing a PERMIT restriction before a REJECT restriction you can make exceptions for specific clients or users. This is called allowlisting; the fourth example above allows mail from local networks but otherwise rejects mail to arbitrary destinations.

This continues with:

The table below summarizes the purpose of each SMTP access restriction list. All lists use the exact same syntax; they differ only in the time of evaluation and in the effect of a REJECT or DEFER result.

Therefore, from the perspective of your question it doesn't really matter which SMTP access restriction list you use. However, I'd actually recommend putting most of the tests to the smtpd_recipient_restrictions or the smtpd_relay_restrictions as both are evaluated after the RCPT TO command. This way you'll have the complete HELO, MAIL FROM and RCPT TO preserved in the logs, which might help debugging any false rejections.

Related

Cron Job to move files not running
Blocking client IP in HAProxy
how monitor root search path in linux RedHat 8.3?
When the Service Base Filtering Engine is active, ping and Remote Dsktvp do not work
Why can't I arping the direct broadcast of the LAN to populate the arp table?
AppCmd backup for IIS7 gives access denied error (hresult:80070005)
What methods are available for updating a non-Internet-connected VMWare ESXi host?
missing '=' etcd when defining service file
IP Configuration for a 10G Direct Link via NIC?
Create a tree-like structure with ansible
AWS - Connecting 2 VPC regions bi-directional?
Windows pptp VPN at startup