Appbead Blog

How to Setup Mail Server on Debian 8 Jessie with Postfix + Dovecot (3)

SPF and Greylisting is effective in filtering spam, about 95% of the spam was filtered out.

Spam and Postfix Restrictions

This section include implement greylisting, Blacklist of sender and others, to rejecting spam.

Postfix

$ sudo vi /etc/postfix/main.cf

Find the line of variable smtpd_relay_restrictions, and delete it. Append following lines:

# Restrictions in order: client, helo, sender, relay/recipient
smtpd_client_restrictions = permit_mynetworks,
    reject_unauth_pipelining,
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,
    reject_invalid_helo_hostname,
    reject_non_fqdn_helo_hostname,
smtpd_sender_restrictions = permit_mynetworks,
    reject_non_fqdn_sender,
    reject_unknown_sender_domain,
    check_sender_access hash:/etc/postfix/sender_access,
# Reject destination we're not responsible for, limit abuse or
# prevent postfix become an open relay. (version >= 2.10 required)
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,
    reject_unauth_destination,
smtpd_recipient_restrictions =
    # General rules
    reject_non_fqdn_recipient,
    reject_unknown_recipient_domain,
    # Our users
    permit_mynetworks,
    permit_sasl_authenticated,
    # Spam filters
    reject_rbl_client zen.spamhaus.org,
    reject_rbl_client dnsbl.sorbs.net,
    reject_rhsbl_reverse_client dbl.spamhaus.org,
    reject_rhsbl_helo dbl.spamhaus.org,
    reject_rhsbl_sender dbl.spamhaus.org,
    # This should be next-to-last
    check_policy_service unix:private/postgrey,
    permit

How does it works? Click to read this excellent HowTos on CentOS WIKI.

IMPORTANT: The rule reject_unauth_destination in relay restrictions prevent our mail server become an open relay.

Postgrey

Change the options of Postgrey, according to smtpd_recipient_restrictions of Postfix:

$ vi /etc/default/postgrey

The full path must be same as in Postfix, and also increased delay here:

POSTGREY_OPTS="--unix=/var/spool/postfix/private/postgrey --delay=66"

Restart Postgrey:

$ sudo systemctl restart postgrey

Blacklist of Sender

You may find some spammer continues sending you junk messages, and Postfix not block them. Blacklist is helpful in such case.

$ sudo touch /etc/postfix/sender_access

This path must be same as parameter of check_sender_access in main.cf. Then append spammer as necessarily. For example:

# run as root
cd /etc/postfix/
echo spam@yandex.ru REJECT >> sender_access
echo ya.ru REJECT >> sender_access
postmap hash:sender_access

SPF

Here is different from previous page, we check SPF record of outside mail server, to determine if the messages should be rejected or not.

# vi /etc/postfix/main.cf:

Find the line of postgrey, insert the line of SPF before it as follows:

    ......
    check_policy_service unix:private/policy-spf,
    check_policy_service unix:private/postgrey,
    permit

And append this line at end of main.cf file:

policy-spf_time_limit = 3600s

Then use Postfix to manage the processes of SPF, append 2 lines of policy-spf into /etc/postfix/master.cf, run the command cat as root:

sudo -i
cat << EOF >> /etc/postfix/master.cf

# SPF
policy-spf  unix  -       n       n       -       -       spawn
  user=nobody argv=/usr/bin/policyd-spf
EOF

As the file master.cf has been changed, restart Postfix. Also confirm the socket file is created:

$ sudo systemctl restart postfix
$ sudo ls -l /var/spool/postfix/private/policy-spf

You may want to change the configuration of SPF:

$ sudo vi /etc/postfix-policyd-spf-python/policyd-spf.conf

Some spammers exploit the mail server which have problem with their SPF record. Turn on PermError_reject to prevent it, although this has a higher short-term false positive risk. We also define Reject_Not_Pass_Domains to reject mail from a domain in the list has a Neutral/Softfail result.

PermError_reject = True
Reject_Not_Pass_Domains = bk.ru,ya.ru,list.ru,mail.ru

Consult man policyd-spf.conf and http://www.openspf.org/SPF_Record_Syntax

Fail2ban

After some days, you may notice that a large number of lines occur in the mail.log, which are similar to the follows:

postfix/smtpd[1532]: lost connection after AUTH from s15692826.onlinehome-server.info[87.106.147.205]
......
postfix/smtpd[4220]: lost connection after UNKNOWN from unknown[113.161.25.13]

Obviously, your mail server experienced Postfix AUTH attacks. Fail2ban is a good service to ban IPs of attacker. Install Fail2ban firstly if you've not.

Make a copy of postfix filter to modify:

# cd /etc/fail2ban/filter.d/
# cp postfix.conf postfix.local
# vi postfix.local

Append this line:
^%(__prefix_line)slost connection after (?:AUTH|UNKNOWN) from \S+\[<HOST>\]$
to failregex, then it may looks like:

failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .*$
            ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 : Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo= *$
            ^%(__prefix_line)sNOQUEUE: reject: VRFY from \S+\[<HOST>\]: 550 5\.1\.1 .*$
            ^%(__prefix_line)simproper command pipelining after \S+ from [^[]*\[<HOST>\]:?$
            ^%(__prefix_line)slost connection after (?:AUTH|UNKNOWN) from \S+\[<HOST>\]$

Edit jail.local:

vi /etc/fail2ban/jail.local

Increase the times in the section of [postfix], or globally.

[postfix]

maxretry = 3
bantime  = 21600 ; 6 hours
findtime = 3600  ; 1 hour

Make the changes take effect:

$ sudo fail2ban-client reload postfix
$ sudo fail2ban-client status

Optional

Split log of Dovecot from Syslog

# vi /etc/dovecot/dovecot.conf

Add this line:

log_path = /var/log/dovecot.log

Then reload Dovecot by run $ dovecot reload.

Rotate logs automatically:

# vi /etc/logrotate.d/dovecot

Fill with following lines:

/var/log/dovecot*.log {
  missingok
  notifempty
  delaycompress
  sharedscripts
  postrotate
    doveadm log reopen
  endscript
}

What's Next?

References

http://wiki.centos.org/HowTos/postfix_restrictions
http://www.postfix.org/postconf.5.html
https://help.ubuntu.com/community/PostfixGreylisting

Comments