Optional Postfix Spam Fighting Tips¶
Note: Most of this will be unnecessary if you have installed RSpamd. Another layer probably won't hurt to improve security but it will make troubleshooting more difficult should a mail not be making it through to your server.
Reject Email if SMTP Client Has no PTR record¶
Due to the prevalence of spam, many mail servers require that SMTP clients have valid PTR records associated with their IP addresses. Every mail server admin should set PTR record for their SMTP servers.
To filter out emails with no PTR records, open Postfix main configuration file:
nano /etc/postfix/main.cf
Add the following line in smtpd_sender_restrictions. This directive rejects an email if the client IP address has no PTR record.
reject_unknown_reverse_client_hostname
Example:
smtpd_sender_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unknown_reverse_client_hostname
Restart Postfix for the change to take effect.
systemctl restart postfix
Enable HELO/EHLO Hostname Restrictions in Postfix¶
Some spammers don’t provide a valid HELO/EHLO hostname in the SMTP dialog. They can be non fully qualified domain name, or a domain name doesn’t exist or only for internal network.
To enable HELO/EHLO hostname restriction, edit Postfix main configuration file:
nano /etc/postfix/main.cf
Add the following line to require the client to provide a HELO/EHLO hostname:
smtpd_helo_required = yes
Use the following line to reject non fully qualified HELO/EHLO hostname:
reject_non_fqdn_helo_hostname
Use the following line to reject clients who provide malformed HELO/EHLO hostname:
reject_invalid_helo_hostname
To reject email when the HELO/EHLO hostname has neither DNS A record nor MX record, use:
reject_unknown_helo_hostname
Note that although most legitimate mail servers have valid A record for the HELO/EHLO hostname, occasionally a legitimate mail server doesn’t meet this requirement. You need to whitelist them with check_helo_access.
check_helo_access hash:/etc/postfix/helo_access
Create the /etc/postfix/helo_access file:
nano /etc/postfix/helo_access
Whitelist legitimate mail server’s HELO/EHLO hostname like below.
subdomain.domain.com OK
Example:
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks
permit_sasl_authenticated
check_helo_access hash:/etc/postfix/helo_access
reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname
reject_unknown_helo_hostname
Save and close the file, then reload Postfix.
systemctl reload postfix
Reject Email if SMTP Client Hostname doesn’t have valid A Record¶
A legitimate email server should also have a valid A record for its hostname. The IP address returned from A record should match the IP address of email server. To filter out emails from hosts that don’t have valid A record, edit Postfix main configuration file.
nano /etc/postfix/main.cf
Add the following lines in smtpd_sender_restrictions:
reject_unknown_reverse_client_hostname
reject_unknown_client_hostname
Example:
smtpd_sender_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unknown_reverse_client_hostname
reject_unknown_client_hostname
Save and close the file. Then restart Postfix for the change to take effect:
systemctl restart postfix
Reject Email If MAIL FROM Domain Has Neither MX Record Nor A Record¶
The MAIL FROM address is also known as envelope from address. Some spammers use a non-existent domain in the MAIL FROM address. If a domain name has no MX record, Postfix will find the A record of the main domain and send email to that host. If the sender domain has neither MX record nor A record, Postfix can’t send email to that domain. So why not reject emails that you can’t reply to?
To filter out this kind of spam, edit Postfix main configuration file:
nano /etc/postfix/main.cf
Add the following line in smtpd_sender_restrictions. It will reject email if the domain name of the address supplied with the MAIL FROM command has neither MX record nor A record:
reject_unknown_sender_domain
Example:
smtpd_sender_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unknown_sender_domain
reject_unknown_reverse_client_hostname
reject_unknown_client_hostname
Save and close the file. Then restart Postfix for the change to take effect:
systemctl restart postfix
Enable Greylisting in Postfix¶
As required by the SMTP protocol, any legitimate SMTP client must be able to re-send email if delivery fails. (By default, Postfix is configured to resend failed emails many times before it informs the sender that the message could not be delivered.) Many spammers usually just send once and would not retry.
Postgrey is a greylisting policy server for Postfix. You can install postgrey using apt:
apt install postgrey
Start and enable with:
systemctl start postgrey
systemctl enable postgrey
It listens on TCP port 10023 on localhost (both IPv4 and IPv6):
netstat -lnpt | grep postgrey
By default, the greylist time is 300 seconds, which means an unknown SMTP client needs to wait 5 minutes before re-sending the email. If that’s very long to you, you can change it to 60 seconds or 120 seconds. This can be configured in /etc/default/postgrey file:
nano /etc/default/postgrey
Find the following line:
POSTGREY_OPTS="--inet=10023"
Change it to:
POSTGREY_OPTS="--inet=127.0.0.1:10023 --delay=60"
Save and close the file. Then restart postgrey for the change to take effect.
systemctl restart postgrey
Next, we need to edit Postfix main configuration file to make it use the greylisting policy server:
nano /etc/postfix/main.cf
Add the following line in smtpd_recipient_restrictions:
check_policy_service inet:127.0.0.1:10023
Restart Postfix.
systemctl restart postfix
From now on, Postgrey will reject an email if the sender triplet (sender IP address, sender email address, recipient email address) is new.
Chinese email spammers like to use a fake, weird-looking and randomly generated sender address for every email, so adding these fake email addresses to blacklist won’t stop them. On the other hand, they never try re-sending a rejected email with the same sender address, which means greylisting can be very effective at stopping this kind of spam.
Greylisting can result in bad experience for the end user, as the user has to wait another several minutes for the email to arrive. To minimize this bad experience, you can create whitelist.
Postgrey ships with two whitelist files (/etc/postgrey/whitelist_clients and /etc/postgrey/whitelist_recipients). The former contains a list of hostnames and the latter contains a list of recipient addresses.
By default, Google’s mail servers are whitelisted. No matter the sender is using a @gmail.com address or other address, as long as the sender is using Google’s mail server, Postgrey won’t reject the email.
You can add other hostnames in whitelist_clients file, like
facebook.com bounce.twitter.com blogger.com email.medium.com
Using Public Anti-Spam Blacklists¶
There are spam emails that are sent from servers that has a valid hostname, valid PTR record and can pass through grey listing. In this case, you can use blacklisting to reject spam. There are many public anti-spam blacklists online. You can use multiple blacklists to block spam. Go to https://www.debouncer.com and mxtoolbox.com , enter the spammer’s domain and IP address to see which blacklists are blocking them, then you can use those blacklists. Some example blacklists:
dbl.spamhaus.org
zen.spamhaus.org
multi.uribl.com
ivmURI
InvaluementURI
So we can add the following configurations in /etc/postfix/main.cf file. Some public blacklisting service requires monthly fee. For now, we'll use the free services of spamhaus.org, abuseat.org, and spamcop.net.
nano /etc/postfix/main.cf
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_rhsbl_helo dbl.spamhaus.org,
reject_rhsbl_reverse_client dbl.spamhaus.org,
reject_rhsbl_sender dbl.spamhaus.org,
reject_rbl_client zen.spamhaus.org
reject_rbl_client cbl.abuseat.org
reject_rbl_client bl.spamcop.net
Explanation:
- reject_rhsbl_helo makes Postfix reject email when the client HELO or EHLO hostname is blacklisted.
- reject_rhsbl_reverse_client: reject the email when the unverified reverse client hostname is blacklisted. Postfix will fetch the client hostname from PTR record. If the hostname is blacklisted, reject the email.
- reject_rhsbl_sender makes Postfix reject email when the MAIL FROM domain is blacklisted.
- reject_rbl_client: This is an IP-based blacklist. When the client IP address is backlisted, reject the email.
Some spammers use Google’s mail server, so reject_rhsbl_helo is ineffective, but most of them use their own domain names in the MAIL FROM header, so reject_rhsbl_sender will be effective.
Create A Whitelist¶
Sometimes there are legitimate email servers blacklisted. You can create a whitelist so they won’t be blocked. Create the following file.
nano /etc/postfix/rbl_override
In this file, whitelist domain names like below.
dripemail2.com OK //This domain belongs to drip.com
mlsend.com OK //This domain belongs to mailerlite email marketing service
Save and close the file. Then run the following command to create the rbl_override.db file:
postmap /etc/postfix/rbl_override
Edit Postfix main configuration file:
nano /etc/postfix/main.cf
In smtpd_recipient_restrictions, add the following line after reject_unauth_destination, but before the first blacklist:
check_client_access hash:/etc/postfix/rbl_override,
Reload Postfix for the changes to take effect.
systemctl reload postfix
Using Public Whitelist to Reduce False Positive¶
Maintaining a private whitelist is necessary sometimes, but you can also use public whitelists, the most famous of which is dnswl.org. Currently, there is only a whitelist for IP address. Domain name whitelist is in beta. To use it, put the following line in smtpd_recipient_restrictions.
permit_dnswl_client list.dnswl.org=127.0.[0..255].[1..3],
It should be placed above the reject_rbl_client check.
Another well-known whitelist is swl.spamhaus.org, so you can also add it to your configuration.
permit_dnswl_client swl.spamhaus.org,
It’s impossible for an IP address to be listed in Spamhaus whitelist and blacklist at the same time, so if you only use Spamhaus blacklist in Postfix, then it’s not necessary to check against Spamhaus whitelist.