How To Block Spam Before It Enters The Server (Postfix)

Want to support HowtoForge? Become a subscriber!
 
Submitted by falko (Contact Author) (Forums) on Mon, 2007-06-04 16:25. :: Anti-Spam/Virus | Postfix

How To Block Spam Before It Enters The Server (Postfix)

Version 1.0
Author: Falko Timme <ft [at] falkotimme [dot] com>
Last edited 05/31/2007

The last few weeks have seen a dramatic increase in spam (once again). Estimates say that spam makes now up for 80 - 90% of all emails, and many mail servers have difficulties in managing the additional load caused by the latest spam, and spam filters such as SpamAssassin do not recognize large parts of that spam as they did before. Fortunately, we can block a big amount of that spam at the MTA level, for example by using blacklists, running tests on the sender and recipient domains, etc. An additional benefit of doing this is that it lowers the load on the mail servers because the (resource-hungry) spamfilters have to look at less emails.

I do not issue any guarantee that this will work for you!

 

1 Preliminary Note

This is just a quick guide showing you how you can configure Postfix (2.x and 1.x) to block spam before entering the server. It's more or less self-explanatory. However, after applying this to your own mail server, you should check the mail log to make sure that no legitmate mails are blocked.

You should also take a look at this guide: http://www.howtoforge.com/virtual_postfix_antispam

And this category: http://www.howtoforge.com/taxonomy_menu/1/78/24 has some more great anti-spam solutions.

 

2 Postfix 2.x

Open /etc/postfix/main.cf and place the following lines in it (replacing the respective settings if they exist):

vi /etc/postfix/main.cf

[...]
smtpd_helo_required = yes
disable_vrfy_command = yes
strict_rfc821_envelopes = yes
invalid_hostname_reject_code = 554
multi_recipient_bounce_reject_code = 554
non_fqdn_reject_code = 554
relay_domains_reject_code = 554
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unknown_sender_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_sender_reject_code = 554

smtpd_recipient_restrictions =
            reject_invalid_hostname,
            reject_unknown_recipient_domain,
            reject_unauth_pipelining,
            permit_mynetworks,
            permit_sasl_authenticated,
            reject_unauth_destination,
            reject_rbl_client multi.uribl.com,
            reject_rbl_client dsn.rfc-ignorant.org,
            reject_rbl_client dul.dnsbl.sorbs.net,
            reject_rbl_client list.dsbl.org,
            reject_rbl_client sbl-xbl.spamhaus.org,
            reject_rbl_client bl.spamcop.net,
            reject_rbl_client dnsbl.sorbs.net,
            reject_rbl_client cbl.abuseat.org,
            reject_rbl_client ix.dnsbl.manitu.net,
            reject_rbl_client combined.rbl.msrbl.net,
            reject_rbl_client rabl.nuclearelephant.com,
            permit
[...]

Restart Postfix afterwards:

/etc/init.d/postfix restart

 

3 Postfix 1.x

Open /etc/postfix/main.cf and place the following lines in it (replacing the respective settings if they exist):

vi /etc/postfix/main.cf

[...]
smtpd_helo_required = yes
disable_vrfy_command = yes
strict_rfc821_envelopes = yes
invalid_hostname_reject_code = 554
multi_recipient_bounce_reject_code = 554
non_fqdn_reject_code = 554
relay_domains_reject_code = 554
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unknown_sender_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_sender_reject_code = 554

maps_rbl_domains =
            multi.uribl.com,
            dsn.rfc-ignorant.org,
            dul.dnsbl.sorbs.net,
            list.dsbl.org,
            sbl-xbl.spamhaus.org,
            bl.spamcop.net,
            dnsbl.sorbs.net,
            cbl.abuseat.org,
            ix.dnsbl.manitu.net,
            combined.rbl.msrbl.net,
            rabl.nuclearelephant.com

smtpd_recipient_restrictions =
            permit_sasl_authenticated,
            permit_mynetworks,
            reject_invalid_hostname,
            reject_non_fqdn_hostname,
            reject_non_fqdn_sender,
            reject_unknown_sender_domain,
            reject_unknown_recipient_domain,
            reject_maps_rbl,
            check_relay_domains
[...]

Restart Postfix afterwards:

/etc/init.d/postfix restart

 

4 More Blacklists

You can find more DNS & RHS blackhole lists that you can add to your Postfix configuration here: http://spamlinks.net/filter-dnsbl-lists.htm

 

5 Links


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by AnonymousSpamEater (not registered) on Mon, 2012-09-10 13:55.
I had dialup.rbl.kropka.net in my reject-lists as well, do not use it as it started rejecting ALL E-Mail a couple days ago!
Submitted by Senthil (not registered) on Wed, 2012-05-09 21:47.
These settings work great, but occasionally an ill configured legit server mail gets bounced away.  Is there a way to simple accept all messages and mark a spam header so the client filter it out?
Submitted by OJS (not registered) on Wed, 2011-11-23 16:10.

Thank you so very much! IT WORKS!!!!! No need to buy these expensive spam-filters. I have indeed reduced my overall spam by as much as 90% WOW!!!!!!!!!

 

Thank you Thank you Thank you

Submitted by Ananya (not registered) on Mon, 2011-06-20 10:31.

Spam Filter Blacklist is a site which I came across lists the Words, IP address, Email Id's, and Domains most commonly used by the spammers. These contents help us a lot before we can filter the emails for spam.

Submitted by gwa7 (registered user) on Fri, 2009-03-20 23:03.
The following line should be removed from the above main.cf:

reject_rbl_client list.dsbl.org

list.dsbl.org is no longer available.

For more info, see this web page:

http://dsbl.org/

Otherwise, the above guide has worked well for me.

Thanks,

Gary
Submitted by roadfox (registered user) on Tue, 2007-10-16 23:28.

rejecting senders with the above method is problematic, cause the reject decission is based on the first match of a single test, you should consider to implement:

 http://www.policyd-weight.org/

policyd-weight is calculating a score, based on different tests (HELO, MX, DNSBL, RHSBL) and only if the resulting score is passing a certain value the sender is rejected.

also policyd-weight is implementing a caching mechanism for the blacklist lookups

 

 

Submitted by future (registered user) on Wed, 2007-06-06 00:27.

please, do not use non exist and old databases.

first, do not use relays.ordb.org. this service is down since 18 dec 2006. next, composite rbl database sbl-xbl.spamhaus.org is superseded by zen.spamhaus.org.

then i have quick check other proposed rbl databases if exists A dns record for them. unfortunately, only bl.spamcop.net, dnsbl.sorbs.net, cbl.abuseat.org and ix.dnsbl.manitu.net exists.

 

Submitted by minskog (registered user) on Thu, 2007-06-07 16:25.

ix.dnsbl.manitu.net doesnt work  for me :?


Jun  7 17:05:48 server2 postfix/smtpd[23305]: warning: 195.32.73.212.ix.dnsbl.manitu.net: RBL lookup error: Host or domain name not found. Name service error for name=195.32.73.212.ix.dnsbl.manitu.net type=A: Host not found, try again


Jun  7 17:05:56 server2 postfix/smtpd[23522]: warning: 74.8.55.212.ix.dnsbl.manitu.net: RBL lookup error: Host or domain name not found. Name service error for name=74.8.55.212.ix.dnsbl.manitu.net type=A: Host not found, try again


Jun  7 17:07:31 server2 postfix/smtpd[23522]: warning: 175.92.249.66.ix.dnsbl.manitu.net: RBL lookup error: Host or domain name not found. Name service error for name=175.92.249.66.ix.dnsbl.manitu.net type=A: Host not found, try again


Submitted by admin (registered user) on Fri, 2007-06-08 07:02.
The above warnings are normal for the ix.dnsbl.manitu.net list. They mean that the sender IP is not blacklisted.
Submitted by minskog (registered user) on Fri, 2007-06-08 10:35.
    Thanks for the info :)