Optimal parameters set for Postfix "smtpd_recipient_restrictions"
Solution 1
You order of rules is very bad. If you want to keep all of them and not add anything else, the order must be:
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_pipelining,
reject_invalid_hostname,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_unauth_destination,
reject_unknown_recipient_domain,
reject_rbl_client zen.spamhaus.org,
check_recipient_access proxy:mysql:/etc/postfix/mysql-virtual_recipient.cf,
reject_non_fqdn_recipient
And if that still is not enough then read about postscreen
in http://www.postfix.org/POSTSCREEN_README.html.
Solution 2
I would suggest a smtpd_recipient_restrictions similar to the following:
smtpd_recipient_restrictions =
# Whitelisting or blacklisting:
check_recipient_access proxy:mysql:/etc/postfix/mysql-virtual_recipient.cf,
# Everyone should play after rules:
reject_non_fqdn_recipient,
reject_non_fqdn_sender,
reject_unknown_recipient_domain,
reject_unknown_sender_domain,
reject_unauth_pipelining,
# Mails from your users:
permit_mynetworks,
permit_sasl_authenticated,
# This will block mails from domains with no reverse DNS record. Will affect both spam and ham mails, but mostly spam.
reject_unknown_reverse_client_hostname,
# Instead of reject_unknown_reverse_client_hostname you can also use reject_unknown_client_hostname, which is an even harder rule.
# Reject ugly HELO/EHLO-hostnames (could also affect regular mails):
reject_non_fqdn_hostname,
reject_invalid_helo_hostname,
# Reject everything you're not responsible for:
reject_unauth_destination,
# Only take mails for existing accounts:
reject_unverified_recipient,
# DNS lookups are "expensive", therefore should be at bottom
reject_rbl_client zen.spamhaus.org
Detailed infos on smtpd_recipient_restrictions can be found here: http://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions
Maybe you also want to use postgrey, postscreen, postfwd or some other policy daemon.
And also check, that you are using your amavisd-new in pre-queue mode.
Related videos on Youtube
Kosmo
Applied mathematician, Machine learning engineer. Links: Tech Blog: http://moiseevigor.github.io/ Public Projects: http://moiseevigor.github.io/projects/ Github: https://github.com/moiseevigor/ CV @ stackoverflow: https://stackoverflow.com/cv/moiseev-igor
Updated on September 18, 2022Comments
-
Kosmo over 1 year
we've inherited the DNS from another ISP and now our mail server is bombed by about 1000 emails per minute, 99.99% of these emails are just spam. We're trying to optimize the filtering/rejecting the spam with no much luck.
What would be on your opinion the optimal set for
smtpd_recipient_restrictions
?The system config: Ubuntu + Amavis + Postfix + MySQL + Fail2Ban-Postfix
Any advise is welcome!
UDPATE, 2012-08-08
On alteration of the posftix configuration as folows and configuring the Potrgey service the spam level decayed 10 times
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_hostname, reject_invalid_hostname, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_non_fqdn_recipient, reject_unknown_recipient_domain, check_policy_service inet:127.0.0.1:10023, reject_rbl_client zen.spamhaus.org, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_pipelining, reject_unauth_destination
-
mailq over 12 yearsI want to buy that domain! Please place an offer.
-
mailq over 12 yearsWhat are you trying to solve? What is your problem? You only say that you reject Spam. But this is not a problem. This is a solution.
-
Kosmo over 12 years@mailq: no way i'm sorry
-
Kosmo over 12 years@mailq: the idea is to reject spam more effectively, reduce the system loads
-
-
Kosmo over 12 yearssorry but does the order matter or not? in a sense postfix verifies at first "permit_mynetworks" and at last "reject_non_fqdn_recipient".
-
mailq over 12 yearsThis is bad. The second line blocks mail for any outbound recipient. So you are not able to send mails from your server to the outside world. MySQL queries are equally expensive as DNS queries. So you should also move MySQL queries to the bottom.
-
B. Shea over 3 yearsIt may also be a good idea to read this: postfix.org/ADDRESS_VERIFICATION_README.html when using
reject_unknown_recipient_domain