-
-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adapted Postfix configuration to block typical spam sending #165
Conversation
mail servers using an enhanced client, sender and helo restriction configuration. The configuration has been adapted using this blog post: https://www.webstershome.co.uk/2014/04/07/postfix-blocking-spam-enters-server/ Basically mail servers having invalid configuration (as e.g. sending from and dynamic IP or a misconfigured hostname) will have their mails rejected. Additionnally three RBL servers are used to detect spam sending IPs: dnsbl.sorbs.net, zen.spamhaus.org and bl.spamcop.net. The results of a 12h test drive using a 100+ daily spam mail account (SpamAssasin was always enabled, just counting delivered mails to inbox not counting what SA detected): - Before: 34 incoming mails - Afer change: 6 incoming mails (82% reduction) Fixes #161.
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, permit | ||
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination | ||
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, | ||
reject_unauth_pipelining, reject_invalid_hostname, reject_non_fqdn_hostname, reject_unknown_recipient_domain, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
reject_non_fqdn_hostname
is for postfix <2.3 no? It should be reject_non_fqdn_helo_hostname
.
Same for reject_invalid_hostname
=> reject_invalid_helo_hostname
Have a look to http://www.postfix.org/postconf.5.html
Hi @stonemaster, thank you for this enhancement on postfix configuration. Thank you. |
Regarding the tests and CI, don't worry it happen often on this test.
I'll have to find the reason. When you'll submit your modification, tests will be restarted. |
…ct_invalid_helo_hostname string which is the "modern" Postfix variant since version >=2.3. (same for non_fqdn_hostname)
Thanks for the review! That's a nice catch. I have been using those hostname* configuration options since ever and never noticed that have been deprecated for ages :-) It's funny though that nearly every blog post on anti-spam postfix configuration uses the deprecated configuration options. I also checked that the other options are recent and not deprecated. |
Thank you @stonemaster ! |
Adapted Postfix configuration to block typical spam sending
mail servers using an enhanced client, sender and helo
restriction configuration.
The configuration has been adapted using this blog post:
https://www.webstershome.co.uk/2014/04/07/postfix-blocking-spam-enters-server/
Basically mail servers having invalid configuration (as e.g. sending
from and dynamic IP or a misconfigured hostname) will have their
mails rejected.
Additionnally three RBL servers are used to detect spam sending
IPs: dnsbl.sorbs.net, zen.spamhaus.org and bl.spamcop.net.
The results of a 12h test drive using a 100+ daily spam
mail account (SpamAssasin was always enabled, just counting
delivered mails to inbox not counting what SA detected):
Fixes #161.