Optimal parameters set for Postfix "smtpd_recipient_restrictions"

ubuntu postfix spam spam-filter amavis
12,315

Solution 1

You order of rules is very bad. If you want to keep all of them and not add anything else, the order must be:

smtpd_recipient_restrictions = 
permit_mynetworks, 
permit_sasl_authenticated, 
reject_unauth_pipelining, 
reject_invalid_hostname, 
reject_non_fqdn_sender, 
reject_unknown_sender_domain, 
reject_unauth_destination, 
reject_unknown_recipient_domain, 
reject_rbl_client zen.spamhaus.org,
check_recipient_access proxy:mysql:/etc/postfix/mysql-virtual_recipient.cf, 
reject_non_fqdn_recipient

And if that still is not enough then read about postscreen in http://www.postfix.org/POSTSCREEN_README.html.

Solution 2

I would suggest a smtpd_recipient_restrictions similar to the following:

smtpd_recipient_restrictions = 
  # Whitelisting or blacklisting:
  check_recipient_access proxy:mysql:/etc/postfix/mysql-virtual_recipient.cf,
  # Everyone should play after rules:
  reject_non_fqdn_recipient,
  reject_non_fqdn_sender,
  reject_unknown_recipient_domain,
  reject_unknown_sender_domain,
  reject_unauth_pipelining,
  # Mails from your users:
  permit_mynetworks,
  permit_sasl_authenticated,
  # This will block mails from domains with no reverse DNS record. Will affect both spam and ham mails, but mostly spam. 
  reject_unknown_reverse_client_hostname,
  # Instead of reject_unknown_reverse_client_hostname you can also use reject_unknown_client_hostname, which is an even harder rule. 
  # Reject ugly HELO/EHLO-hostnames (could also affect regular mails):
  reject_non_fqdn_hostname,
  reject_invalid_helo_hostname,
  # Reject everything you're not responsible for:
  reject_unauth_destination,
  # Only take mails for existing accounts:
  reject_unverified_recipient,
  # DNS lookups are "expensive", therefore should be at bottom
  reject_rbl_client zen.spamhaus.org

Detailed infos on smtpd_recipient_restrictions can be found here: http://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions

Maybe you also want to use postgrey, postscreen, postfwd or some other policy daemon.

And also check, that you are using your amavisd-new in pre-queue mode.

Share:
12,315

Related videos on Youtube

Kosmo
Author by

Kosmo

Applied mathematician, Machine learning engineer. Links: Tech Blog: http://moiseevigor.github.io/ Public Projects: http://moiseevigor.github.io/projects/ Github: https://github.com/moiseevigor/ CV @ stackoverflow: https://stackoverflow.com/cv/moiseev-igor

Updated on September 18, 2022

Comments

  • Kosmo
    Kosmo over 1 year

    we've inherited the DNS from another ISP and now our mail server is bombed by about 1000 emails per minute, 99.99% of these emails are just spam. We're trying to optimize the filtering/rejecting the spam with no much luck.

    What would be on your opinion the optimal set for smtpd_recipient_restrictions?

    The system config: Ubuntu + Amavis + Postfix + MySQL + Fail2Ban-Postfix

    Any advise is welcome!

    UDPATE, 2012-08-08

    On alteration of the posftix configuration as folows and configuring the Potrgey service the spam level decayed 10 times

    smtpd_recipient_restrictions = 
permit_mynetworks, 
permit_sasl_authenticated, 
reject_non_fqdn_hostname, 
reject_invalid_hostname, 
reject_non_fqdn_sender, 
reject_unknown_sender_domain, 
reject_non_fqdn_recipient, 
reject_unknown_recipient_domain, 
check_policy_service inet:127.0.0.1:10023, 
reject_rbl_client zen.spamhaus.org, 
check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf,
reject_unauth_pipelining, 
reject_unauth_destination

    enter image description here

    • mailq
      mailq over 12 years
      I want to buy that domain! Please place an offer.
    • mailq
      mailq over 12 years
      What are you trying to solve? What is your problem? You only say that you reject Spam. But this is not a problem. This is a solution.
    • Kosmo
      Kosmo over 12 years
      @mailq: no way i'm sorry
    • Kosmo
      Kosmo over 12 years
      @mailq: the idea is to reject spam more effectively, reduce the system loads
  • Kosmo
    Kosmo over 12 years
    sorry but does the order matter or not? in a sense postfix verifies at first "permit_mynetworks" and at last "reject_non_fqdn_recipient".
  • mailq
    mailq over 12 years
    This is bad. The second line blocks mail for any outbound recipient. So you are not able to send mails from your server to the outside world. MySQL queries are equally expensive as DNS queries. So you should also move MySQL queries to the bottom.
  • B. Shea
    B. Shea over 3 years
    It may also be a good idea to read this: postfix.org/ADDRESS_VERIFICATION_README.html when using reject_unknown_recipient_domain

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Spam passing postfix config "hostname does not resolve to address: No address associated with hostname"
Filtering spam to an IMAP folder with postfix, policyd and amavis?
Mailscanner and amavisd-new comparison
Disable ClamAV for Amavis
Port 25 blocked, change ubuntu mailout to open port
Postfix can send but not receive mail
Postfix problems sending mail to gmail addresses
Postfix: SMTP, use port 587 rather than 465
Courier IMAP cannot find my Maildir but can find root's Maildir
Fatal error (bad field count) while configuring Postfix