6 Simple & Safe Postfix Changes for Over 95% Spam Reduction

By Angsuman Chakraborty, Gaea News Network
Sunday, November 18, 2007

I used to receive around 5,000-7,000 spams daily on angsuman [at] taragana [dot] com email which is publicly available on the internet. It was consuming too many productive hours daily to fight spam. I decided to fight back. To reduce the spams I first made changes to my postfix configuration with the aim to stop most spams upfront. With 6 simple changes to my postfix configuration my spams dropped from 5,000 - 7,000 to a manageable 5-20 spams daily, often less. Let’s look at these 6 simple postfix changes in details to drastically reduce your spam count too. I am consistently getting over 99% spam reduction after implementing these changes.

The changes proved to be safe and without false positives. In several weeks of manual browsing through the log file, I couldn’t spot a single false positive (a case where legitimate mail is rejected).

Note: This changes do not involve (nor do they conflict with) spamassasin or clamav, which I might add later.

smtpd_helo_required = yes

The smtpd_helo_required parameter determines if clients must send a HELO (or EHLO) command at the beginning of an SMTP session.
Proper email clients use Helo to identify their server. Most spam servers don’t use Helo to identify themselves, if they do they (mostly) falsify.

smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_invalid_hostname, check_helo_access hash:/etc/postfix/helo_access, permit

The smtpd_helo_restrictions parameter restricts what hostnames clients may send with the HELO (EHLO) command. Many spam (UCE) software can be stopped by being strict here. The order of the restrictions is important.

permit_sasl_authenticated first allows your email client (like Outlook, Thunderbird, Evolution etc.) which authenticates itself to send email without any further checks.

permit_mynetworks allows sending unauthenticated emails too if they are from your network addresses. This allows, for example, your home grown comment form / guestbook to send emails to you without further checks.

reject_invalid_hostname rejects invalid hostnames like without tld suffix. For example taragana is an invalid hostname, taragana.com is a valid hostname.

Note: You can also add reject_unknown_hostname. However I found that several legitimate companies like PayPal, for example, uses internal hostnames which do not resolve with external DNS servers.

check_helo_access searches the named access database for the HELO hostname or parent domains and follows the rules specified there. My helo_access files includes all my domains and looks like:

mydomain.tld REJECT Get lost
mydomain2.tld REJECT Get lost
...

These checks rejects spammers who impersonate as originating from one of my servers.

Note: You should compile the file with postmap like:
postmap /etc/postfix/helo_access

disable_vrfy_command = yes
SMTP protocol allows of using VRFY to verify the validity of an user in the server. Disabling VRFY takes one more facility which is abused by spammers.

strict_rfc821_envelopes = yes
The strict_rfc821_envelopes parameter controls how tolerant Postfix is with respect to addresses given in MAIL FROM or RCPT TO commands. Being strict to the RFC not only stops unwanted mail, it may also blocks legitimate mail from poorly-written mail applications. However I haven’t found any false positive from this check. This appears to be safe in my experience.

smtpd_client_restrictions = permit_sasl_authenticated,permit_mynetworks, reject_rhsbl_client mydomain.tld, reject_rbl_client bl.spamcop.net, reject_rbl_client zen.spamhaus.org, reject_rbl_client safe.dnsbl.sorbs.net, reject_rbl_client cbl.abuseat.org, reject_rbl_client list.dsbl.org

The smtpd_client_restrictions parameter restricts what clients this system accepts SMTP connections from. First I allow, as before, emails from my mail clients (with permit_sasl_authenticated) and from my network (with permit_mynetworks).

I then reject email clients which impersonate as originating from my domains. In other words it rejects the request when the client hostname is listed with an A record under one of my domains. This check may not be very useful but I still keep it.

Now comes the fun part.
I use several safe RBL’s (widely regarded and allows an easy non-paid way to de-list your site if you have been mis-classified) to check the IP addresses of email clients trying to send email. The RBL’s I use are:
1. Spamcop
2. Spamhaus
3. SORBS
4. Abuseat

smtpd_sender_restrictions = reject_non_fqdn_sender, reject_unknown_sender_domain
The smtpd_sender_restrictions parameter restricts what sender addresses this system accepts in MAIL FROM commands.

reject_non_fqdn_sender rejects the request when the address in the client MAIL FROM command is not in fully-qualified domain form.

reject_unknown_sender_domain rejects the request when the sender mail address has no DNS A or MX record. This check is essential to ensure that the email isn’t sent from a fictitious domain name. You would be surprised at how many spammers use this lame trick.

That concludes my 6 simple & safe (based on my tests) postfix changes to drastically reduce your spam load and relieve your postfix mail server.

YOUR VIEW POINT
NAME : (REQUIRED)
MAIL : (REQUIRED)
will not be displayed
WEBSITE : (OPTIONAL)
YOUR
COMMENT :