Optimal parameters set for Postfix "smtpd_recipient_restrictions"

ubuntu spam spam-filter postfix amavis

we've inherited the DNS from another ISP and now our mail server is bombed by about 1000 emails per minute, 99.99% of these emails are just spam. We're trying to optimize the filtering/rejecting the spam with no much luck.

What would be on your opinion the optimal set for smtpd_recipient_restrictions?

The system config: Ubuntu + Amavis + Postfix + MySQL + Fail2Ban-Postfix

Any advise is welcome!

UDPATE, 2012-08-08

On alteration of the posftix configuration as folows and configuring the Potrgey service the spam level decayed 10 times

smtpd_recipient_restrictions = 
permit_mynetworks, 
permit_sasl_authenticated, 
reject_non_fqdn_hostname, 
reject_invalid_hostname, 
reject_non_fqdn_sender, 
reject_unknown_sender_domain, 
reject_non_fqdn_recipient, 
reject_unknown_recipient_domain, 
check_policy_service inet:127.0.0.1:10023, 
reject_rbl_client zen.spamhaus.org, 
check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf,
reject_unauth_pipelining, 
reject_unauth_destination

enter image description here


Solution 1:

You order of rules is very bad. If you want to keep all of them and not add anything else, the order must be:

smtpd_recipient_restrictions = 
permit_mynetworks, 
permit_sasl_authenticated, 
reject_unauth_pipelining, 
reject_invalid_hostname, 
reject_non_fqdn_sender, 
reject_unknown_sender_domain, 
reject_unauth_destination, 
reject_unknown_recipient_domain, 
reject_rbl_client zen.spamhaus.org,
check_recipient_access proxy:mysql:/etc/postfix/mysql-virtual_recipient.cf, 
reject_non_fqdn_recipient

And if that still is not enough then read about postscreen in http://www.postfix.org/POSTSCREEN_README.html.

Solution 2:

I would suggest a smtpd_recipient_restrictions similar to the following:

smtpd_recipient_restrictions = 
  # Whitelisting or blacklisting:
  check_recipient_access proxy:mysql:/etc/postfix/mysql-virtual_recipient.cf,
  # Everyone should play after rules:
  reject_non_fqdn_recipient,
  reject_non_fqdn_sender,
  reject_unknown_recipient_domain,
  reject_unknown_sender_domain,
  reject_unauth_pipelining,
  # Mails from your users:
  permit_mynetworks,
  permit_sasl_authenticated,
  # This will block mails from domains with no reverse DNS record. Will affect both spam and ham mails, but mostly spam. 
  reject_unknown_reverse_client_hostname,
  # Instead of reject_unknown_reverse_client_hostname you can also use reject_unknown_client_hostname, which is an even harder rule. 
  # Reject ugly HELO/EHLO-hostnames (could also affect regular mails):
  reject_non_fqdn_hostname,
  reject_invalid_helo_hostname,
  # Reject everything you're not responsible for:
  reject_unauth_destination,
  # Only take mails for existing accounts:
  reject_unverified_recipient,
  # DNS lookups are "expensive", therefore should be at bottom
  reject_rbl_client zen.spamhaus.org

Detailed infos on smtpd_recipient_restrictions can be found here: http://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions

Maybe you also want to use postgrey, postscreen, postfwd or some other policy daemon.

And also check, that you are using your amavisd-new in pre-queue mode.

Related

Can one machine virtually host a DNS server and an Email server?
How can I migrate soft RAID array made by mdadm to new server and new OS?
virtualenvwrapper and Python 3
Extract substring using regexp in plain bash
How can I kill whatever process is using port 8080 so that I can vagrant up?
Google API: Not a valid origin for the client: url has not been whitelisted for client ID "ID"
Volley Android Networking Library
How to check whether mod_rewrite is enable on server?
Convert JSON style properties names to Java CamelCase names with GSON
How to get record created today by rails activerecord?
Removing MySQL 5.7 Completely [closed]
Library not loaded: /usr/local/opt/readline/lib/libreadline.7.dylib