View Single Post
  #13  
Old 21st January 2008, 17:08
thctlo thctlo is offline
Junior Member
 
Join Date: Jun 2006
Posts: 9
Thanks: 2
Thanked 1 Time in 1 Post
Default Antispam solution /add in postfix main.cf stop 90% of all spam

myhostname = host.domain.com
myorigin = host.domain.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
#mydestination = host.domain.com, localhost
relayhost =
mynetworks = 127.0.0.0/8
mailbox_command =
mailbox_size_limit = 0
recipient_delimiter = +
#inet_interfaces = all
inet_interfaces = host.domain.com localhost
inet_protocols = ipv4

message_size_limit = 10485760

notify_classes =
resource,
software

bounce_size_limit = 1024
invalid_hostname_reject_code = 554
access_map_reject_code = 554
relay_domains_reject_code = 554
unknown_address_reject_code = 554
unknown_hostname_reject_code = 554
unknown_client_reject_code = 554
non_fqdn_reject_code = 554
unknown_sender_reject_code = 554
unverified_sender_reject_code = 554
unverified_recipient_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
multi_recipient_bounce_reject_code = 554
unknown_virtual_mailbox_reject_code = 554

disable_vrfy_command = yes

smtpd_restriction_classes = verify_sender
verify_sender = reject_unverified_sender, permit


## in order of processing. restrictions/anti-spam
smtpd_client_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_rhsbl_sender dsn.rfc-ignorant.org,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client list.dsbl.org,
# reject_unknown_client

smtpd_helo_required = yes

smtpd_helo_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_invalid_hostname,
regexp:/etc/postfix/helo.regexp,
permit

smtpd_sender_restricitons =
permit_sasl_authenticated,
permit_mynetworks,
check_relay_domains,
permit_tls_all_clientcerts,
reject_rbl_client list.dsbl.org,
reject_rbl_client zen.spamhaus.org,
reject_unknown_sender_domain

smtpd_delay_reject = yes

smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_invalid_hostname,
reject_unknown_sender_domain,
reject_unauth_pipelining,
reject_unknown_recipient_domain,
reject_non_fqdn_sender,
check_sender_access hash:/etc/postfix/verify_sender.map
reject_rbl_client multi.uribl.com,
reject_rbl_client dsn.rfc-ignorant.org,
reject_rbl_client bogusmx.rfc-ignorant.org,
reject_rbl_client list.dsbl.org,
reject_rbl_client zen.spamhaus.org,
# reject_rbl_client cbl.anti-spam.org.cn,
# reject_rbl_client blackholes.five-ten-sg.com,
# reject_rbl_client dnsbl.ahbl.org,
# reject_rbl_client dnsbl.njabl.org,
# reject_rbl_client multi.surbl.org,
# reject_rbl_client bl.spamcop.net,
# reject_rbl_client cbl.abuseat.org,
# reject_rbl_client ix.dnsbl.manitu.net,
# reject_rbl_client l1.apews.org,
# reject_rbl_client l2.apews.org,
# reject_rbl_client t1.dnsbl.net.au,
# reject_rbl_client combined.rbl.msrbl.net,
# reject_rbl_client rabl.nuclearelephant.com,
# reject_rbl_client dnsbl.sorbs.net,
# reject_rhsbl_sender rhsbl.sorbs.net,
reject_non_fqdn_recipient,
reject_unauth_destination

smtpd_data_restrictions =
reject_unauth_pipelining,
permit


# TLS parameters
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject _unauth_destination
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
home_mailbox = Maildir/
### see also local.cf from spamassassin, add header if user auth over smtp
smtpd_sasl_authenticated_header = yes


virtual_maps = hash:/etc/postfix/virtusertable

mydestination = /etc/postfix/local-host-names


extra files.
/etc/postfix/helo.regexp
/^localhost$/ 550 Don't use my own hostname
/^host\.domain\.com$/ 550 Don't use my own hostname
/^127\.0\.0\.1$/ 550 Don't use my own IP address
/^\[180\.169\.9\.91]$/ 550 Don't use my own IP address
/^\[180\.169\.9\.92]$/ 550 Don't use my own IP address
#/^[0-9.]+$/ 550 Your software is not RFC 2821 compliant
#/^[0-9]+(\.[0-9]+){3}$/ 550 Your software is not RFC 2821 compliant

/etc/postfix/verify_sender.map
## reverse check the email adresses.
## Example: domain.extention verify_sender
earthlink.net verify_sender
hotmail.com verify_sender
lycos.com verify sender
msn.com verify_sender
netscape.com verify_sender
netscape.net verify_sender
yahoo.com verify_sender
gmail.com verify_sender
gmail.nl verify_sender
live.com verify_sender
charter.net verify_sender

and dont forget to postmap verify_sender.map !!! and reload postfix ( /etc/init.d/postfix reload )
Im running this setup on my company's server, without the zen.spamhouse i get about 1600 spam mails a day.
with about 160, add urirbl + verify sender + rfc ignorat and i saves again 5-8 % of spam.
so just 2 % comes in my netwerk, .. and than it comes in the antispam server.
I get only 1 spam message a week for about 100 user.

goodluck.

the remarded lines you better leave the remarkt.
these can block webmail of roaming users.

Last edited by thctlo; 21st January 2008 at 17:14.
Reply With Quote