Postfix,SpamAssasin,ClamAV - Need configuration to kill spam.

Discussion in 'Installation/Configuration' started by Tekati, Oct 26, 2016.

  1. Tekati

    Tekati ISPConfig Developer ISPConfig Developer

    Lets face it spam is about the biggest evil we all face. We are using our ISPConfig3 implementation to handle around 2000 email accounts. We did host at fusemail.com and they obviously knew how to handle spam. Now that we have taken over our own email we gets complaints constantly from clients about spam.

    Does anyone have a hardened true way to handle spam? I am happy to share my configuration but we still have massive amounts of spam that gets through. Here is the big one. main.cf if you would like to see any others let me know.

    We would even be happy to use a spam service if it is reasonable. But I have to think we can tackle this on our own if we had some help. This is just a hodgepodge of stuff I have collected using google.

    main.cf
    Code:
    # See /usr/share/postfix/main.cf.dist for a commented, more complete version
    
    # Debian specific:  Specifying a file name will cause the first
    # line of that file to be used as the name.  The Debian default
    # is /etc/mailname.
    #myorigin = /etc/mailname
    
    smtpd_banner = $myhostname ESMTP $mail_name
    biff = no
    
    # appending .domain is the MUA's job.
    append_dot_mydomain = no
    
    # Uncomment the next line to generate "delayed mail" warnings
    #delay_warning_time = 4h
    
    readme_directory = /usr/share/doc/postfix
    
    # TLS parameters
    smtpd_tls_cert_file = /etc/apache2/certs/SECURE.com.crt
    smtpd_tls_key_file = /etc/apache2/certs/SECURE.com.key
    smtpd_use_tls = yes
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
    
    # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
    # information on enabling SSL in the smtp client.
    
    smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
    myhostname = smtp.SECURE.com
    alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
    alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
    myorigin = /etc/mailname
    mydestination = smtp.SECURE.com, mail.SECURE.com, localhost, localhost.localdomain
    relayhost =
    mynetworks = 127.0.0.0/8 OURSUBNETS
    mailbox_size_limit = 0
    recipient_delimiter = +
    inet_interfaces = all
    inet_protocols = all
    html_directory = /usr/share/doc/postfix/html
    virtual_alias_domains =
    virtual_alias_maps =
        hash:/var/lib/mailman/data/virtual-mailman,
        proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf,
        proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf
    virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
    virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
    virtual_mailbox_base = /var/vmail
    virtual_uid_maps = mysql:/etc/postfix/mysql-virtual_uids.cf
    virtual_gid_maps = mysql:/etc/postfix/mysql-virtual_gids.cf
    unknown_local_recipient_reject_code = 550
    sender_bcc_maps = proxy:mysql:/etc/postfix/mysql-virtual_outgoing_bcc.cf
    smtpd_sasl_auth_enable = yes
    broken_sasl_auth_clients = yes
    smtpd_sasl_authenticated_header = yes
    smtpd_restriction_classes = greylisting
    greylisting = check_policy_service inet:127.0.0.1:10023
    smtpd_recipient_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_unauth_destination,
        check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf,
        check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf,
        check_policy_service unix:private/policy-spf
    smtpd_tls_security_level = may
    transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
    relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
    relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
    smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender_login_maps.cf
    proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps
    smtpd_helo_required = yes
    smtpd_helo_restrictions =
        permit_sasl_authenticated,
        permit_mynetworks,
        reject_non_fqdn_hostname,
        reject_invalid_helo_hostname,
        check_helo_access regexp:/etc/postfix/blacklist_helo
    smtpd_sender_restrictions =
        check_sender_access regexp:/etc/postfix/tag_as_originating.re,
        permit_mynetworks,
        permit_sasl_authenticated,
        check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf,
        check_sender_access regexp:/etc/postfix/tag_as_foreign.re
    smtpd_client_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        check_client_access mysql:/etc/postfix/mysql-virtual_client.cf
        reject_unauth_destination,
        reject_invalid_hostname,
        reject_unauth_pipelining,
        reject_non_fqdn_sender,
        reject_unknown_sender_domain,
        reject_non_fqdn_recipient,
        reject_unknown_recipient_domain,
        reject_unknown_client_hostname,
        reject_rhsbl_client blackhole.securitysage.com,
        reject_rhsbl_sender blackhole.securitysage.com,
        reject_rbl_client sbl.spamhaus.org,
        reject_rbl_client dnsbl.sorbs.net,
        reject_rbl_client zen.spamhaus.org,
        reject_rbl_client bl.spamcop.net,
        reject_rbl_client cbl.abuseat.org,
        reject_rbl_client b.barracudacentral.org,
        reject_rbl_client blackholes.easynet.nl,
        reject_rbl_client proxies.blackholes.wirehub.net,
        reject_rbl_client ubl.unsubscore.com,
    smtpd_client_message_rate_limit = 100
    strict_rfc821_envelopes = yes
    smtpd_data_restrictions = reject_unauth_pipelining
    smtpd_delay_reject = yes
    maildrop_destination_concurrency_limit = 1
    maildrop_destination_recipient_limit = 1
    virtual_transport = dovecot
    header_checks = regexp:/etc/postfix/header_checks
    mime_header_checks = regexp:/etc/postfix/mime_header_checks
    nested_header_checks = regexp:/etc/postfix/nested_header_checks
    body_checks = regexp:/etc/postfix/body_checks
    owner_request_special = no
    smtp_tls_security_level = may
    smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
    smtpd_tls_protocols = !SSLv2,!SSLv3
    smtp_tls_protocols = !SSLv2,!SSLv3
    smtpd_tls_exclude_ciphers = RC4, aNULL
    smtp_tls_exclude_ciphers = RC4, aNULL
    dovecot_destination_recipient_limit = 1
    smtpd_sasl_type = dovecot
    smtpd_sasl_path = private/auth
    content_filter = amavis:[127.0.0.1]:10024
    receive_override_options = no_address_mappings
    message_size_limit = 0
    mydomain = SECURE.com
    compatibility_level = 2
    postscreen_greet_action = enforce
    policy-spf_time_limit = 3600s
    
     
  2. beryl

    beryl New Member

    We tried Pyzor on our CRM servern and it made a radical difference to only using spam-assassin.
    http://www.pyzor.org/en/release-1-0-0/
    Should be installed by standard to ISPConfig, in my opinion.
     
  3. vk3heg

    vk3heg Member

    Have a look at spamexperts. http://www.spamexperts.com
    Its a service that you point your MX records to and then they send email to your server. Lots of configurable options.
     
  4. Jesse Norell

    Jesse Norell Active Member

    postscreen can cut out a lot of junk, assuming you can live with your users sending mail on port 587 (not 25).
     
  5. cbj4074

    cbj4074 Member

    @Tekati

    To chime-in, we're having a related discussion at https://www.howtoforge.com/community/threads/spam-filtering-is-not-working.74549/#post-350907 , which might interest you.

    I've been in the spam-fighting business for over 6 years now on my ISPConfig systems, and here's what has been most effective for me:

    - postscreen
    - postgrey
    - pyzor
    - razor2
    - RBLs
    - spf/dkim analysis
    - Bayes training
    - some basic (but very effective) Postfix directives that enforce strict standards and eliminate a huge percentage of spammers

    With a user-base as large as yours, Bayesian training will go a long way. You can configure Dovecot to use the Antispam plugin, which can be used to train your Bayes database in a mostly-automated way. When a user moves a message from Inbox to Junk/Spam, for example, you can train your Bayes database against the message, automatically (and vice versa, when he moves a message from Junk/Spam to Inbox).

    I would look into all of the above. :)
     

Share This Page