how to configure postfix to reject spams
 

Hi, lately I have been getting lots of spams ( who doesn't these days? ), and I noticed that these spams are easy to detect, since from the following header information, you can see the sender's address is a fake one:

Message-ID: <000901c6c1b3$38dafc30$67b20c48@ryjcud.znx>
From: "Joshua Buchanan" <inb@statusproperty.co.uk>


So I am thinking to REJECT such spams from postfix. The rule would be simple:

extract sender's actual sending domain and claimed domain from Message-ID field and From field, and compare them. Normally these two should be same ( is it true? ). Otherwise, reject.

However, I am not an expert in postfix. Anyone could help how to configure postfix to do this task efficiently?

Thanks.

If you only want to reject invalid sender domains, you'll need this in your /etc/postfix/main.cf:

Or simply add the reject_unknown_sender_domain if you already have smtpd_sender_restrictions in your main.cf.

There are a lot more ways to use Postfix to block spam. If you post your main.cf file I could show you things you could add to it.

Here are relate lines in my main.cf:

smtpd_sender_restrictions = hash:/etc/postfix/access
smtpd_client_restrictions =
smtpd_helo_required = no
smtpd_helo_restrictions =
strict_rfc821_envelopes = no
smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination
smtp_sasl_auth_enable = no
smtpd_sasl_auth_enable = no
smtpd_use_tls = no
smtp_use_tls = no

and Here is access:

enews.buy.com REJECT
lmsa.hinet.net REJECT
online.costco.com REJECT
orbitz.com REJECT


My questions are:

1) can you have both lines in main.cf


2) how does postfix decide unknown_sender_domain? Is there any false positive possibility?

Thanks.

You could change things to this for some good spam blocking. I also rearranged it a bit so it's easier to read and flows better.

I work for an ISP with about 40,000 users and we use these settings and more. We get very few false positives because of these settings.

The way it checks the reject_unknown_sender_domain is by seeing if the domain has an A or MX DNS record. The only reason the from domain wouldn't have one of those records is if they're spoofing.

Thanks a lot. I will change accordingly and see how that works.

A few more questions:

1) Any changes in other postfix files?

2) How to log postfix actions so that I can see if it works properly for a few days?

3) Instead of reject right away, how to set up postfix so that it puts those deemed spams to another folder for later inspection?
( I am trying to be very cautious. )

4) will this cause my domain on black list of other domains since I probe too much? What is your experience?

Thanks again.

1. Main.cf is the only file you need to change for now. If you want to do more advanced configurations of Postfix you might need to create/change other ones.

2. Postfix should automatically log to /var/log/mail.log. Depending on how your syslog is set up, you should have a few days of logs in there.

3. Postfix can't move files based on whether it thinks they're spam. You'd need a filter like procmail to do that. You could simply set up the rules and then place warn_if_reject right in front of them to have Postfix not actually reject email that would hit these new rules, but only place a warning in your log file so you can see what mail would have been rejected.

For example:

4. No, all that command does is reject mail from servers that do not issue a HELO command, which is required by RFC standards. All properly configured mail servers should give a HELO command.

Thanks a lot again.

My pleasure.

Hi, I just tested by sending an email bwteen my accounts on differnt domains, but got following error:

postfix/smtpd[27154]: warning: unknown smtpd restriction: "reject_uknown_sender_domain"
postfix/smtpd[27154]: NOQUEUE: reject: RCPT from destination.domain: 451 Server configuration error; from=<me@origin> to=<me@destination> proto=ESMTP helo=<destination_mail_server>

How to fix it? Thanks.

My mistake... it's a spelling error. Left out an "n" in unknown.

Change it in your main.cf file to:

reject_unknown_sender_domain

Yep, works. Actually mistake was mine. I just copied your lines without looking more carefully.

Thanks a lot again. :tisk:

Now here came a real test. I got another spam, and here are related header information:

To me it is obvious the sender address is a fake one, since it is very different from the comcast cable used.

When postfix checks the sender's address, how does it know the sender's address is a known (maybe valid instead) address? And how to catech this type of spams? Probably back to my original questions? :rolleyes:

Thanks.

A sender address can be spoofed very easily. Postfix has no way of knowing whether the email address the sender provides is a real email address or not. All Postfix can do is check to see if the domain.com portion of the email address exists using the reject_unknown_sender_domain rule and, in this case, this domain does exist and has an MX record so it passes that check.

For my SPAM, and I get lots of it, I use a combination of spamassassin and sieve. All the messages identified as SPAM go from my Inbox to my SPAM mailbox automatically. A couple of times per week I check my SPAM folder to see if there are any false/positives. If I do get a repeating false/negative then I use SPAMCop to report it.

Is there anyway for postfix to check the sender's domain against the sending address, i.e., the IP in the received from field? Since as you said, a sender's address can be spoofed easily, while the sending address is not unless the ISP is collaborating.