SPF and Greylisting is effective in filtering spam, about 95% of the spam was filtered out.
Spam and Postfix Restrictions
This section include implement greylisting, Blacklist of sender and others, to rejecting spam.
Postfix
$ sudo vi /etc/postfix/main.cf
Find the line of variable smtpd_relay_restrictions, and delete it. Append following lines:
# Restrictions in order: client, helo, sender, relay/recipient
smtpd_client_restrictions = permit_mynetworks,
reject_unauth_pipelining,
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
smtpd_sender_restrictions = permit_mynetworks,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
check_sender_access hash:/etc/postfix/sender_access,
# Reject destination we're not responsible for, limit abuse or
# prevent postfix become an open relay. (version >= 2.10 required)
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,
reject_unauth_destination,
smtpd_recipient_restrictions =
# General rules
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
# Our users
permit_mynetworks,
permit_sasl_authenticated,
# Spam filters
reject_rbl_client zen.spamhaus.org,
reject_rbl_client dnsbl.sorbs.net,
reject_rhsbl_reverse_client dbl.spamhaus.org,
reject_rhsbl_helo dbl.spamhaus.org,
reject_rhsbl_sender dbl.spamhaus.org,
# This should be next-to-last
check_policy_service unix:private/postgrey,
permit
How does it works? Click to read this excellent HowTos on CentOS WIKI.
IMPORTANT: The rule reject_unauth_destination in relay restrictions prevent our mail server become an open relay.
Postgrey
Change the options of Postgrey, according to smtpd_recipient_restrictions of Postfix:
$ vi /etc/default/postgrey
The full path must be same as in Postfix, and also increased delay here:
POSTGREY_OPTS="--unix=/var/spool/postfix/private/postgrey --delay=66"
Restart Postgrey:
$ sudo systemctl restart postgrey
Blacklist of Sender
You may find some spammer continues sending you junk messages, and Postfix not block them. Blacklist is helpful in such case.
$ sudo touch /etc/postfix/sender_access
This path must be same as parameter of check_sender_access in main.cf. Then append spammer as necessarily. For example:
# run as root
cd /etc/postfix/
echo spam@yandex.ru REJECT >> sender_access
echo ya.ru REJECT >> sender_access
postmap hash:sender_access
SPF
Here is different from previous page, we check SPF record of outside mail server, to determine if the messages should be rejected or not.
# vi /etc/postfix/main.cf:
Find the line of postgrey, insert the line of SPF before it as follows:
......
check_policy_service unix:private/policy-spf,
check_policy_service unix:private/postgrey,
permit
And append this line at end of main.cf file:
policy-spf_time_limit = 3600s
Then use Postfix to manage the processes of SPF, append 2 lines of policy-spf into /etc/postfix/master.cf, run the command cat as root:
sudo -i
cat << EOF >> /etc/postfix/master.cf
# SPF
policy-spf unix - n n - - spawn
user=nobody argv=/usr/bin/policyd-spf
EOF
As the file master.cf has been changed, restart Postfix. Also confirm the socket file is created:
$ sudo systemctl restart postfix
$ sudo ls -l /var/spool/postfix/private/policy-spf
You may want to change the configuration of SPF:
$ sudo vi /etc/postfix-policyd-spf-python/policyd-spf.conf
Some spammers exploit the mail server which have problem with their SPF record. Turn on PermError_reject to prevent it, although this has a higher short-term false positive risk. We also define Reject_Not_Pass_Domains to reject mail from a domain in the list has a Neutral/Softfail result.
PermError_reject = True
Reject_Not_Pass_Domains = bk.ru,ya.ru,list.ru,mail.ru
Consult man policyd-spf.conf and http://www.openspf.org/SPF_Record_Syntax
Fail2ban
After some days, you may notice that a large number of lines occur in the mail.log, which are similar to the follows:
postfix/smtpd[1532]: lost connection after AUTH from s15692826.onlinehome-server.info[87.106.147.205]
......
postfix/smtpd[4220]: lost connection after UNKNOWN from unknown[113.161.25.13]
Obviously, your mail server experienced Postfix AUTH attacks. Fail2ban is a good service to ban IPs of attacker. Install Fail2ban firstly if you've not.
Make a copy of postfix filter to modify:
# cd /etc/fail2ban/filter.d/
# cp postfix.conf postfix.local
# vi postfix.local
Append this line:
^%(__prefix_line)slost connection after (?:AUTH|UNKNOWN) from \S+\[<HOST>\]$
to failregex, then it may looks like:
failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .*$
^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 : Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo= *$
^%(__prefix_line)sNOQUEUE: reject: VRFY from \S+\[<HOST>\]: 550 5\.1\.1 .*$
^%(__prefix_line)simproper command pipelining after \S+ from [^[]*\[<HOST>\]:?$
^%(__prefix_line)slost connection after (?:AUTH|UNKNOWN) from \S+\[<HOST>\]$
Edit jail.local:
vi /etc/fail2ban/jail.local
Increase the times in the section of [postfix], or globally.
[postfix]
maxretry = 3
bantime = 21600 ; 6 hours
findtime = 3600 ; 1 hour
Make the changes take effect:
$ sudo fail2ban-client reload postfix
$ sudo fail2ban-client status
Optional
Split log of Dovecot from Syslog
# vi /etc/dovecot/dovecot.conf
Add this line:
log_path = /var/log/dovecot.log
Then reload Dovecot by run $ dovecot reload.
Rotate logs automatically:
# vi /etc/logrotate.d/dovecot
Fill with following lines:
/var/log/dovecot*.log {
missingok
notifempty
delaycompress
sharedscripts
postrotate
doveadm log reopen
endscript
}
What's Next?
-
Web UI to change password of users, use SQLite instead of passwdfile.
-
Content of spam filtering.
-
Dynamic address verification with LMTP
WARNING: This may cause an increased load in the case of a dictionary attack, consider to combine with Fail2ban.
References
http://wiki.centos.org/HowTos/postfix_restrictions
http://www.postfix.org/postconf.5.html
https://help.ubuntu.com/community/PostfixGreylisting