Postfix and Spam filtering

Virtualmin
1

I am using postfix with Virtualmin and am trying to follow numerous tutorials on spam prevention/handling. I have tried to apply the following to the postfix main.cf file.

smtpd_delay_reject = yes

smtpd_helo_required = yes

smtpd_helo_restrictions =
permit_mynetworks,
reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname,
permit

comment- check_helo_access hash:/usr/local/etc/postfix/helo_access,

smtpd_sender_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_unauth_destination,
permit

smtpd_recipient_restrictions =
reject_unauth_pipelining,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
permit

comment- check_policy_service unix:postgrey/socket,
comment- check_policy_service unix:private/spfpolicy
comment- check_policy_service inet:127.0.0.1:10023
comment- reject_rbl_client relays.ordb.org,
comment- reject_rbl_client list.dsbl.org,
comment- reject_rbl_client sbl-xbl.spamhaus.org,
comment- check_sender_access hash:/etc/postfix/sender_access,
comment- check_recipient_access hash:/etc/postfix/recipient_access,

smtpd_client_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_rbl_client bl.spamcop.net,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client dnsbl.sorbs.net,
permit

I had to replace the pound sign for comment with comment- because of the way this forum formats the text.

The items that are commented out are of concern. I cannot figure out how to set them right. I have the rbl in the client_restrictions but online the examples show in the recipient. Which is it? client or recipient?

Also, is there a good tutorial on configuring the HELO access file? I am migrating from EIMS and have some nice HELO rules set up there to catch a bunch of problems. I’d like to incorporate them into the postfix setup.

For the HELO:
does not contain .
starts with [
contains .dynamic.
contains .adsl.
ends with .airtelbroadband.in
is speedtouch.lan
is gmail.com
contains .pool.
starts with adsl-
is dsldevice.lan
contains .dsl.

Expressions for a few of the top expressions:
Typical names for household connections contain a name followed by an ip (dashed or dotted)
[a-zA-Z_-][0-9]{1,3}-[0-9]{1,3}-[0-9]{1,3}-[0-9]{1,3}.
[a-zA-Z_-][0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.
Plain IP number without [ ]:
[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}

With the spf handling, I keep seeing mention of a file that I am supposed to have but it was not included in the install of CentOS 5. smtpd-policy.pl is the file that everyone mentions I need for the SPF but it’s no where to be found and I did not see anywhere online to download this. I have postgrey installed. Does anyone know how to make all this work? it seems it would be optimal setup for spam prevention.

It’s a long post. Sorry. I hope this will help everyone.

Thanks,
Steffan

2

Howdy,

The items that are commented out are of concern. I cannot figure out how to set them right. I have the rbl in the client_restrictions but online the examples show in the recipient. Which is it? client or recipient?

When I’ve set this up, I’ve used smtp_recipient_restrictions like so:

smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_invalid_hostname, ... reject_rbl_client zen.spamhaus.org Also, is there a good tutorial on configuring the HELO access file? I am migrating from EIMS and have some nice HELO rules set up there to catch a bunch of problems. I'd like to incorporate them into the postfix setup.

Well, I’m not really familiar with setting that up, specifically… you could always add some regexes using something like this in your smtpd_recipient_restrictions:

check_client_access hash:/etc/postfix/helo_client_exceptions

And then adding some regexes into “/etc/postfix/helo_client_exceptions”.

However, Postfix does some of that work for you if you want to keep it simpler… you may want to tinker with some of Postfix’s “reject_” lines, including “reject_invalid_hostname”, “reject_non_fqdn_hostname”, and “reject_unknown_sender_domain” (amongst others!).

Regarding SPF handling – I’m not familiar with the setup you’re describing there, though it appears that it would require installing and running a SPF daemon of some sort out of Postfix’s master.cf.

One thing to note is that SpamAssassin provides it’s own SPF handling, and includes that in it’s various spam processing rules. It’ll be a lot less work to setup, as that works out of the box :slight_smile:

-Eric