Postfix – Configuration Tips to Fight Spam

In this guide you will learn how to tweak the default postfix configuration for incoming emails. In Postfix configuration you need to add or edit following directives on /etc/postfix/main.cf configuration file. All configuration directives are explained in the postfix website.

Postfix Configuration Parameters

smtpd_helo_required = yes

Require that a remote SMTP client introduces itself with the HELO or EHLO command before sending the MAIL command or other commands that require EHLO negotiation.

smtpd_delay_reject = yes

It allows Postfix to log recipient address information when rejecting a client name/address or sender address, so that it is possible to find out whose mail is being rejected.

strict_rfc821_envelopes = yes

Require that addresses received in SMTP MAIL FROM and RCPT TO commands are enclosed with <>, and that those addresses do not contain RFC 822 style comments or phrases. This stops mail from poorly written software.

smtpd_recipient_restrictions

You can put the following access restrictions that the Postfix SMTP server applies in the context of the RCPT TO command:

reject_invalid_helo_hostname – Reject the request when the HELO or EHLO hostname is malformed.

warn_if_reject reject_non_fqdn_helo_hostname – Reject the request when the HELO or EHLO hostname is not in fully-qualified domain or address literal form, as required by the RFC.

warn_if_reject reject_unknown_helo_hostname – Reject the request when the HELO or EHLO hostname has no DNS A or MX record.

warn_if_reject reject_unknown_reverse_client_hostname – Reject the request when the client IP address has no address -> name mapping.

reject_non_fqdn_sender – Reject the request when the MAIL FROM address is not in fully-qualified domain form, as required by the RFC.

reject_non_fqdn_recipient – Reject the request when the RCPT TO address is not in fully-qualified domain form, as required by the RFC.

reject_unknown_sender_domain – Reject the request when Postfix is not final destination for the sender address, and the MAIL FROM domain has 1) no DNS MX and no DNS A record, or 2) a malformed MX record such as a record with a zero-length MX hostname.

reject_unknown_recipient_domain – Reject the request when Postfix is not final destination for the recipient domain, and the RCPT TO domain has 1) no DNS MX and no DNS A record or 2) a malformed MX record such as a record with a zero-length MX hostname.

Example main.cf

# See /usr/share/postfix/main.cf.dist for a commented, more complete version

smtpd_banner = $myhostname ESMTP
biff = no
inet_protocols = ipv4

# appending .domain is the MUA's job.
append_dot_mydomain = no

readme_directory = no

# TLS parameters
smtpd_tls_cert_file=/etc/postfix/malware.expert.crt
smtpd_tls_key_file=/etc/postfix/malware.expert.key
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_note_starttls_offer   = yes
smtp_tls_security_level = may

# Conf
delay_warning_time = 4h
bounce_queue_lifetime = 5d
maximal_queue_lifetime = 5d
smtp_connect_timeout = 10s
smtpd_helo_required = yes 
#It allows Postfix to log recipient address information when rejecting a client name/address or sender address
smtpd_delay_reject = yes
strict_rfc821_envelopes = yes
message_size_limit = 50000000

# Maps to Relay & Transport (Domains and Destination routing)
relay_domains 		= proxy:mysql:/etc/postfix/postfix-mysql-relay_domains_maps.cf
transport_maps 		= proxy:mysql:/etc/postfix/postfix-mysql-transport_maps.cf

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = mx01.malware.expert
mydestination =  $myhostname, localhost
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
relayhost =
# Which servers allowed send outgoing emails
mynetworks = 127.0.0.0/8
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all

smtpd_sender_restrictions =
    permit_mynetworks
    reject_non_fqdn_sender
    reject_unknown_sender_domain

smtpd_recipient_restrictions =
    permit_mynetworks
    reject_unauth_destination
    reject_invalid_helo_hostname
    warn_if_reject reject_non_fqdn_helo_hostname
    warn_if_reject reject_unknown_helo_hostname
    warn_if_reject reject_unknown_reverse_client_hostname
    reject_non_fqdn_sender
    reject_non_fqdn_recipient
    reject_unknown_sender_domain
    reject_unknown_recipient_domain

smtpd_data_restrictions =
    reject_unauth_pipelining
    reject_multi_recipient_bounce

Conlusion

It is very important that you configure postfix installations correctly to minimise incoming spam. You can also use RBL blacklists, which effectively block spammers from infected servers.