Spam prevention tips for Postfix [duplicate]

spam postfix

Without using SpamAssasin, or similar, what are your best tips for preventing spam.

Please try and provide config examples :D


Solution 1:

I make use of:

  • smtpd_recipient_restrictions
  • DNS blacklists
  • local blacklists
  • header / body filters

Example:

smtpd_recipient_restrictions = permit_mynetworks,
        reject_invalid_hostname,
        reject_non_fqdn_hostname,
        reject_non_fqdn_sender,
        reject_non_fqdn_recipient,
        reject_unknown_sender_domain,
        reject_unknown_recipient_domain,
        reject_unauth_destination,
        check_policy_service unix:private/policy,
        reject_rbl_client zen.spamhaus.org,
        reject_rbl_client psbl.surriel.com,
        reject_rbl_client dnsbl.sorbs.net,
        permit

The reject_non_fqdn_hostname option catches a lot of servers, but your mileage may very depending who you receive mail from.

Solution 2:

Use SPF, SpamAssassin, Razor, Pyzor, DCC, Graylist and use a setup like the other answer example:

smtpd_recipient_restrictions = permit_mynetworks,
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unauth_destination,
check_policy_service unix:private/policy,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client psbl.surriel.com,
reject_rbl_client dnsbl.sorbs.net,
permit

Solution 3:

Nice idea is to have two separate machines (physical or virtual) for incoming and internal/outgoing SMTP traffic. That way you can have more restrictions in place for outside messages, more strict spam/attachment control, and less restrictive rules for internal mail (for example you might consider larger message size on internal server).

Using greylisting (for example postgrey) can be an excellent idea, if you don't want to use SpamAssassin. Just put it high on smtpd_recipient_restrictions list, like that:

smtpd_recipient_restrictions =
        reject_unauth_pipelining,
        permit_mynetworks,
        permit_sasl_authenticated,
        # checks for known hostnames, addresses, clients
        check_policy_service inet:127.0.0.1:60000

And remember to change default delay time from 300 to something higher, preferably random (but not higher than 1200-1500). This way if a mail server is unknown to your SMTP, it will have to wait a couple of minutes before trying to deliver a message again, thus relieving your spam filter and greatly reducing UBE.

I also suggest acquiring good blacklist of popular spammer CIDR classes, filter out incoming server SMTP traffic (not client) from ppp or dynamic domains. That should help also.

Related

Alternative Cisco VPN clients for Windows XP
Can I change the name of an NFS export
Powershell screen buffer
What does a developer need to know about Windows Server?
F5 Big-IP, X-Forwarded-For and IIS Logs
Apache Redirect folder to subdomain
Maximum Number of Files in a Single Directory for Netapp NFS mounts on Linux
Extract registry key from NTBackup System State backup
Tool to physically test ethernet cable with two network cards? [closed]
How to dynamically set HTTP Header in Apache 2.2?
Is NTFS 16 TB volume size limit "real"?
What does ifconfig promisc mode do, or promiscuous mode in general?