LinuxQuestions.org - Postfix & anti-spam optimization

- Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)

- - Postfix & anti-spam optimization (https://www.linuxquestions.org/questions/linux-server-73/postfix-and-anti-spam-optimization-887534/)

Postfix & anti-spam optimization

Hello,
My postfix server has been working great for the last 1-2 years. Lately the number of spams encreased (from 1-2 every day to aprox 8-10 every day per domain for some domains ).

I post here the output of postconf -n. Maybe someone gives me some advices about what cat I change or how can I optimize. I must recognise that I don't fully understand details of how postfix and all the restrictions works together, but I will document every advice.

Thanks

Code:

alias_database = hash:/etc/aliases

alias_maps = hash:/etc/aliases

append_dot_mydomain = no

biff = no

config_directory = /etc/postfix

inet_interfaces = all

mailbox_size_limit = 0

mydestination = cma.xx, cma.cma.xx, localhost.cma.xx, localhost

myhostname = mail.xx.xx

mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128

myorigin = /etc/mailname

readme_directory = no

recipient_delimiter = +

relayhost = 

smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)

smtpd_data_restrictions = reject_unauth_pipelining

smtpd_helo_required = yes

smtpd_helo_restrictions = reject_invalid_hostname permit

smtpd_recipient_restrictions = reject_non_fqdn_sender reject_non_fqdn_recipient permit_mynetworks permit_sasl_authenticated reject_unauth_destination reject_sender_login_mismatch reject_invalid_hostname reject_unknown_sender_domain  reject_unknown_recipient_domain reject_unverified_recipient reject_unlisted_recipient reject_invalid_helo_hostname check_sender_access hash:/etc/postfix/access_sender check_helo_access pcre:/etc/postfix/helo_checks reject_unknown_sender_domain reject_rbl_client zen.spamhaus.org, reject_rhsbl_sender    dsn.rfc-ignorant.org permit

smtpd_sasl_auth_enable = yes

smtpd_sasl_path = private/auth

smtpd_sasl_type = dovecot

smtpd_sender_restrictions = reject_unknown_sender_domain, reject_non_fqdn_sender, permit

smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem

smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key

smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

smtpd_use_tls = yes

virtual_alias_maps = hash:/etc/postfix/valias.txt

virtual_gid_maps = static:1000

virtual_mailbox_base = /var/spool/vmail

virtual_mailbox_domains = /etc/postfix/vhost.txt

virtual_mailbox_maps = hash:/etc/postfix/vmaps.txt

virtual_uid_maps = static:1000

What other anti-spam utilities are you using? It is not obvious from main.cf just what you are doing. You should have amavis and clamav to run all the arriving mail through to help filter spam.

As I know amavis and clamav are anti-virus software and not anti-spam.

In fact I am interested what could I optimize here:

Code:

smtpd_recipient_restrictions = reject_non_fqdn_sender reject_non_fqdn_recipient permit_mynetworks permit_sasl_authenticated reject_unauth_destination reject_sender_login_mismatch reject_invalid_hostname reject_unknown_sender_domain  reject_unknown_recipient_domain reject_unverified_recipient reject_unlisted_recipient reject_invalid_helo_hostname check_sender_access hash:/etc/postfix/access_sender check_helo_access pcre:/etc/postfix/helo_checks reject_unknown_sender_domain reject_rbl_client zen.spamhaus.org, reject_rhsbl_sender    dsn.rfc-ignorant.org permit

Here are a couple of threads where I have discussed this. In particular, this thread, discusses using anti-spam measures in layers which is one of the key things that you will need to do. This thread has some tips that are quite recent as I have been having a problem with a real increase in spam too.

As I mention in the threads, you will need to apply your spam filtering in layers. Start with greylisting, which will require the sender to use a compliant mail client. Then use HELO restrictions to keep some junk from even being queued up. Follow this with some DNS checks, such as the RBL list. Note, this is a YMMV issue, but I had to place the spamhaus check towards the top in my list or else messages would be accepted before the check. I think it may have been a conflict with the Amavis checks. Next, use a content filter such as DSpam or Spamassassin. These are resource intense so if you can reject it before it gets there your better off. Amavis works with Spamassassin by co-ordinating the filtering of your mail of which virus checking is a part, but it isn't just for viruses. I found I was having a real problem with certain senders and regions which I blocked. If you find that you have a problem with repeat offenders, look up the domain by the AS number and block their entire IP range. Also watch your reject codes. A 400 level code, typical of a DNS problem, is a temporary code and may just cause the stuff to keep coming back. Lastly, consider reporting the stuff that does get through to Spamcop and cause grief for their ISPs.

Once you install the content filter, e.g. Spamassassin, it will take some time to train it as far as what is spam and what is not, as well as tweaking the rules.

In any case, implement one thing at a time and see what effect it has. If you do too much at once, you won't know how effective a particular measure was.

Thanks. I will read those threads you have recommended.