how to configure postfix to reject spams

ananda81 · 08-19-2006, 05:02 AM

Is there any need to install and configure antivirus in mailserver(Postfix)?
if yes then how to give antivirus protection to Postfix mail server.
Can any 1 please tell me.

nuzzy · 09-03-2006, 06:03 PM

For antivirus use clamav. I personally use a clamav/amavis combo...

I also use postgrey for greylisting SPAM and it's been working great

dr_sad · 12-19-2006, 04:01 AM

Hi all.
I am trying to make my main.cf better. As you reccomend I have added this to main.cf:

Code:

smtpd_helo_restrictions =
        reject_invalid_hostname,
        reject_non_fqdn_hostname

But my local users can not send email in that case. When I have added "permit_mynetworks" the issue was solved.

Code:

smtpd_helo_restrictions =
        permit_mynetworks,
        reject_invalid_hostname,
        reject_non_fqdn_hostname

Why does it happen? Is the point a reverse DNS for local users' IP's ?

gani · 12-19-2006, 08:08 AM

Majority of spams are sent using dynamic ADSL/Cable subscriber lines and thus not through legitimate MTAs. Might be, or mostly the case, these are sent using spambots or infected computers running poorly secured from the internet. Or some are sending spams direct through their computers. Therefore reverse lookups won't match with their domains/hosts.

To help you further mitigate these kinds of spammers, use Postgrey. Postgrey is a third party anti-spam used to greylist or temporarily reject sending smtp clients during RCPT TO command. As said, it is only temporary as a test if the sending client is a real MTA. If the client is not an MTA, but a computer used through spambot, it won't or mostly seldom retry after a greylisting or temporary RCPT rejection period. Majority of spam and virus mails are rejected by these method and will save you lots of CPU cycles specially if you as well have content scanners like Amavisd-new, SpamAssassin and ClamAV installed. Legitimate MTA shall be autowhitelisted after several successful deliveries. Postgrey is a GREYLISTING implementation on postfix.

Also, I recently added a contributed patch for Postgrey to make it even harder for spammers' bots to retry, in case it did, by adding a --retry=2 startup option. Meaning, in case bots has learned already to retry, they need to retry for another one. This makes their delay even longer and might lose their interest. Further, an option to further delay autowhitelisting is also available and which is --auto-whitelist-delay=3600.

Postgrey:
http://isg.ee.ethz.ch/tools/postgrey/

Tarpit+Greylist+S25R:
http://k2net.hakuba.jp/targrey/index.en.html
http://k2net.hakuba.jp/pub/targrey-0...rey-1.27.patch
http://k2net.hakuba.jp/spam/postfix.conf.2.tar.gz
http://k2net.hakuba.jp/pub/postfix-sleep.patch

The postfix.conf.2.tar.gz has all the necessary config files and will just need to be copied to /etc/postfix. I don't yet fully understand much of it but what all I can say is that it is working for me. It has grealy reduce again my qurantine area and just to show to you, here is an 'ls' of my qurantine yesterday.

Code:

root@mxwall:/etc/postfix# ls -l /var/virusmails |grep 2006-12-18
-rw-r-----  1 amavisd amavisd   25367 2006-12-18 02:43 spam-ED+2PXN9zB8K.gz
-rw-r-----  1 amavisd amavisd   27741 2006-12-18 23:32 spam-FCJ-P18n7nPh.gz
-rw-r-----  1 amavisd amavisd   33744 2006-12-18 05:20 spam-GTVtdIYzawxA.gz
-rw-r-----  1 amavisd amavisd   31619 2006-12-18 07:01 spam-MVn4E61LqUoL.gz
-rw-r-----  1 amavisd amavisd   28224 2006-12-18 23:01 spam-Q28Z3YQnUoYo.gz
-rw-r-----  1 amavisd amavisd   19595 2006-12-18 06:25 spam-gBvd6oXXZ+Vk.gz
-rw-r-----  1 amavisd amavisd   29992 2006-12-18 11:10 spam-lXjnVevMTCHm.gz
-rw-r-----  1 amavisd amavisd   20372 2006-12-18 06:26 spam-nxXgmOW41Tzy.gz
-rw-r-----  1 amavisd amavisd   10213 2006-12-18 23:19 spam-vcFNcp6Lmp1J.gz

Checking these lately, it came mostly from spamming servers that only send since when I've telneted, it won't accept connection to port 25.

Here is a pertinent main.cf portion I'm using that you can make as your guide:

Code:

smtpd_helo_required = yes
smtpd_helo_restrictions =
        permit_mynetworks
        reject_invalid_hostname
        reject_non_fqdn_hostname
        check_helo_access regexp:/etc/postfix/reject_helo

I also added a two regexp lines in rejct_helo and it is those that I'm sure has blocked clients using only domain.tld and not fully qualified hostname as HELO that I'm sure legitimate MTAs won't do. reject_helo is included with postfix.conf.2.tar.gz.

Code:

/^[a-z]+\.[a-z]{2}$/		REJECT match HELO blacklist
/^[a-z]+\.[a-z]{3}$/		REJECT match HELO blacklist

Code:

smtpd_recipient_restrictions =
        permit_mynetworks
        permit_sasl_authenticated
        reject_unauth_destination
        check_client_access hash:/etc/postfix/whitelist_client
        check_client_access regexp:/etc/postfix/permit_client_nots25r
        check_client_access mysql:/etc/postfix/mysql-client.cf
        ....
	..... others
	....
	# this is Postgrey
        check_policy_service inet:127.0.0.1:10023
	...
        permit

Here is a portion of my logs to show how it works:

Dec 19 20:08:51 mxwall postfix/smtpd[30090]: NOQUEUE: warn: RCPT from cik172.neoplus.adsl.tpnet.pl[83.31.34.172]: ; from=<Off@cfcunit.org> to=<pro@****.gov.ph> proto=ESMTP helo=<cik172.neoplus.adsl.tpnet.pl>
Dec 19 20:09:01 mxwall postfix/smtpd[30090]: NOQUEUE: sleep: RCPT from cik172.neoplus.adsl.tpnet.pl[83.31.34.172]: lost connection after 10 sec; from=<Off@cfcunit.org> to=<pro@****.gov.ph> proto=ESMTP helo=<cik172.neoplus.adsl.tpnet.pl>

Dec 19 20:09:01 mxwall postfix/smtpd[30090]: lost connection after RCPT from cik172.neoplus.adsl.tpnet.pl[83.31.34.172]
Dec 19 20:09:01 mxwall postfix/smtpd[30090]: disconnect from cik172.neoplus.adsl.tpnet.pl[83.31.34.172]

And also, incase you are still interested with DKIM, here it is.

http://mipassoc.org/dkim
http://www.ijs.si/software/amavisd/a...docs.html#dkim
http://www.elandsys.com/resources/sendmail/dkim.html

-------
GANI