How To Block Spam Before It Enters The Server (Postfix)

Version 1.0
Author: Falko Timme

The last few weeks have seen a dramatic increase in spam (once again). Estimates say that spam makes now up for 80 - 90% of all emails, and many mail servers have difficulties in managing the additional load caused by the latest spam, and spam filters such as SpamAssassin do not recognize large parts of that spam as they did before. Fortunately, we can block a big amount of that spam at the MTA level, for example by using blacklists, running tests on the sender and recipient domains, etc. An additional benefit of doing this is that it lowers the load on the mail servers because the (resource-hungry) spamfilters have to look at less emails.

I do not issue any guarantee that this will work for you!

 

1 Preliminary Note

This is just a quick guide showing you how you can configure Postfix (2.x and 1.x) to block spam before entering the server. It's more or less self-explanatory. However, after applying this to your own mail server, you should check the mail log to make sure that no legitmate mails are blocked.

You should also take a look at this guide: https://www.howtoforge.com/virtual_postfix_antispam

And this category: https://www.howtoforge.com/taxonomy_menu/1/78/24 has some more great anti-spam solutions.

 

2 Postfix 2.x

Open /etc/postfix/main.cf and place the following lines in it (replacing the respective settings if they exist):

vi /etc/postfix/main.cf
[...]
smtpd_helo_required = yes
disable_vrfy_command = yes
strict_rfc821_envelopes = yes
invalid_hostname_reject_code = 554
multi_recipient_bounce_reject_code = 554
non_fqdn_reject_code = 554
relay_domains_reject_code = 554
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unknown_sender_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_sender_reject_code = 554

smtpd_recipient_restrictions =
            reject_invalid_hostname,
            reject_unknown_recipient_domain,
            reject_unauth_pipelining,
            permit_mynetworks,
            permit_sasl_authenticated,
            reject_unauth_destination,
            reject_rbl_client multi.uribl.com,
            reject_rbl_client dsn.rfc-ignorant.org,
            reject_rbl_client dul.dnsbl.sorbs.net,
            reject_rbl_client list.dsbl.org,
            reject_rbl_client sbl-xbl.spamhaus.org,
            reject_rbl_client bl.spamcop.net,
            reject_rbl_client dnsbl.sorbs.net,
            reject_rbl_client cbl.abuseat.org,
            reject_rbl_client ix.dnsbl.manitu.net,
            reject_rbl_client combined.rbl.msrbl.net,
            reject_rbl_client rabl.nuclearelephant.com,
            permit
[...]

Restart Postfix afterwards:

/etc/init.d/postfix restart

 

3 Postfix 1.x

Open /etc/postfix/main.cf and place the following lines in it (replacing the respective settings if they exist):

vi /etc/postfix/main.cf
[...]
smtpd_helo_required = yes
disable_vrfy_command = yes
strict_rfc821_envelopes = yes
invalid_hostname_reject_code = 554
multi_recipient_bounce_reject_code = 554
non_fqdn_reject_code = 554
relay_domains_reject_code = 554
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unknown_sender_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_sender_reject_code = 554

maps_rbl_domains =
            multi.uribl.com,
            dsn.rfc-ignorant.org,
            dul.dnsbl.sorbs.net,
            list.dsbl.org,
            sbl-xbl.spamhaus.org,
            bl.spamcop.net,
            dnsbl.sorbs.net,
            cbl.abuseat.org,
            ix.dnsbl.manitu.net,
            combined.rbl.msrbl.net,
            rabl.nuclearelephant.com

smtpd_recipient_restrictions =
            permit_sasl_authenticated,
            permit_mynetworks,
            reject_invalid_hostname,
            reject_non_fqdn_hostname,
            reject_non_fqdn_sender,
            reject_unknown_sender_domain,
            reject_unknown_recipient_domain,
            reject_maps_rbl,
            check_relay_domains
[...]

Restart Postfix afterwards:

/etc/init.d/postfix restart

 

4 More Blacklists

You can find more DNS & RHS blackhole lists that you can add to your Postfix configuration here: http://spamlinks.net/filter-dnsbl-lists.htm

 

5 Links

Share this page:

14 Comment(s)