CentOS - Mar 2012 - postfix and spam, I am impressed

I have had the same email address since 1997 (when microsoft stole 
bob.com from me thanks to network solutions...)

In the early days I of course was free with my email and used it everwhere.
Fast forward to 2012, some 15 years later.

woof..the amount of spam sent to me has always just kept getting worse 
and worse.

On my centos 5 server I just used sendmail with spamassassin and it 
killed a lot. Still, 100s, sometimes more made it through. Then 
thunderbird would weed out more, learned as it went...
Still, had an inbox with a lot of junk.

Now I have set up a centos 6 box using postfix. Today I decided to try 
to add smtpd restrictions. After a lot of reading and testing I 'seem' 
to be doing incredible.
I wanted to share my current working postfix smtpd restrictions area so 
that others who are interested can start with it.

I just added the helo and sender restrictions and have noticed no 
problems yet.
There were many things some sites said to add, but they killed some very 
legitimate mail.

So...yesterday a few hundred mails in my box as usual. Plus I set up 
procmail to not delete spam so I could test. That gave me hundreds more....

30 minutes since putting this up I went from 1 every few seconds to 1 in 
30 minutes. And that was tagged by spamassassin as spam. 1.

Not sure if this setup is perfect, but it is working quite well. Yes, 
the mail takes a few seconds longer and there is probably more I could 
do, but this ROCKS!!!

smtpd_delay_reject = yes
smtpd_helo_required = yes

smtpd_client_restrictions = permit_mynetworks,permit

smtpd_helo_restrictions      permit_mynetworks,
     reject_non_fqdn_helo_hostname,
     reject_invalid_helo_hostname,
     permit

smtpd_sender_restrictions      permit_mynetworks,
     reject_non_fqdn_sender,
     reject_unknown_sender_domain,
     permit

smtpd_recipient_restrictions      reject_non_fqdn_recipient,
     reject_unknown_recipient_domain,
     permit_mynetworks,
     permit_sasl_authenticated,
     reject_unauth_destination,
     reject_invalid_hostname,
     reject_unauth_pipelining,
     reject_rbl_client zen.spamhaus.org,
     reject_rbl_client truncate.gbudb.net,
     reject_rbl_client dnsbl.njabl.org
     reject_rbl_client cbl.abuseat.org
     reject_rbl_client bl.spamcop.net,
     reject_rbl_client dnsbl.sorbs.net,
     sleep 1,
      permit

smtpd_data_restrictions       permit_mynetworks,
      reject_multi_recipient_bounce,
     permit

Bob Hoffman wrote:
> I have had the same email address since 1997 (when microsoft stole
> bob.com from me thanks to network solutions...)
I remember reading about you, vaguely.
<snip>
> Now I have set up a centos 6 box using postfix. Today I decided to try
> to add smtpd restrictions. After a lot of reading and testing I
'seem'
> to be doing incredible.
> I wanted to share my current working postfix smtpd restrictions area so
> that others who are interested can start with it.
<snip>
Here's a question: is there any way to inspect an email's headers, and
reject it if the alleged FWDN in the From:" doesn't match the oldest
"Received: "?

       mark

On 12-03-12 22:12, Bob Hoffman wrote:
[snip]
> Not sure if this setup is perfect, but it is working quite well. Yes,
> the mail takes a few seconds longer and there is probably more I could
> do, but this ROCKS!!!
Totally agree. I'm definitely not a postfix expert but below I have 
listed some rules I have in my config.
> smtpd_delay_reject = yes
> smtpd_helo_required = yes
I also have:
disable_vrfy_command = yes
strict_rfc821_envelopes = yes
> smtpd_client_restrictions = permit_mynetworks,permit
In smtpd_client_restrictions I have:

smtpd_client_restrictions 	permit_mynetworks,
	permit_sasl_authenticated,
	reject_unknown_reverse_client_hostname,
	check_client_access pcre:/etc/postfix/dynamic_ip_client_block,
	reject_rbl_client bl.spameatingmonkey.net,
	reject_rhsbl_sender uribl.spameatingmonkey.net,
	reject_rhsbl_client uribl.spameatingmonkey.net,
	reject_rhsbl_sender urired.spameatingmonkey.net,
	reject_rhsbl_client urired.spameatingmonkey.net,
	reject_rbl_client zen.spamhaus.org

The dynamic IP client list is quite effective. You can get the file:
wget -v http://www.hardwarefreak.com/fqrdns.pcre

> smtpd_helo_restrictions >       permit_mynetworks,
>       reject_non_fqdn_helo_hostname,
>       reject_invalid_helo_hostname,
>       permit
>
> smtpd_sender_restrictions >       permit_mynetworks,
>       reject_non_fqdn_sender,
>       reject_unknown_sender_domain,
>       permit
In smtpd_sender_restrictions I also use

	reject_rhsbl_sender fresh15.spameatingmonkey.net

> smtpd_recipient_restrictions >       reject_non_fqdn_recipient,
>       reject_unknown_recipient_domain,
>       permit_mynetworks,
>       permit_sasl_authenticated,
>       reject_unauth_destination,
>       reject_invalid_hostname,
>       reject_unauth_pipelining,
>       reject_rbl_client zen.spamhaus.org,
>       reject_rbl_client truncate.gbudb.net,
>       reject_rbl_client dnsbl.njabl.org
>       reject_rbl_client cbl.abuseat.org
>       reject_rbl_client bl.spamcop.net,
>       reject_rbl_client dnsbl.sorbs.net,
>       sleep 1,
>        permit
>
> smtpd_data_restrictions >        permit_mynetworks,
>        reject_multi_recipient_bounce,
>       permit
Not sure if these rules are correct. I only have

smtpd_data_restrictions 	reject_unauth_pipelining

On my CentOS 5 box I don't user "permit" at all.

Regards,
Patrick

On Mon, 12 Mar 2012 17:12:13 -0400
Bob Hoffman <bob at bobhoffman.com> wrote:
> On my centos 5 server I just used sendmail with spamassassin and it 
> killed a lot. Still, 100s, sometimes more made it through. Then 
> thunderbird would weed out more, learned as it went...
> Still, had an inbox with a lot of junk.
Maybe you should read some http://www.acme.com/mail_filtering/ ... altough
from 2005, one of the best sendmail writeups I'm aware of.
> Now I have set up a centos 6 box using postfix. Today I decided to try 
> to add smtpd restrictions. After a lot of reading and testing I
'seem'
> to be doing incredible.
I've switched to postfix back in 2001 and yes, it is amazing. Now that
you're free of spam, you can dive into policyd and various content
filtering schemes available. It's amazing how far email has come, yet
it's
even more amazing that none of the major linux distros have everything in
one place, well integrated and polished and we poor sysadmins still have to
stich solutions together ... heck, I still have to patch sasl for it to
auth against crypted passwords ... maybe I should stop before I start
ranting ;)


-- 

Jure Pe?ar
http://jure.pecar.org
http://f5j.eu