8

we've inherited the DNS from another ISP and now our mail server is bombed by about 1000 emails per minute, 99.99% of these emails are just spam. We're trying to optimize the filtering/rejecting the spam with no much luck.

What would be on your opinion the optimal set for smtpd_recipient_restrictions?

The system config: Ubuntu + Amavis + Postfix + MySQL + Fail2Ban-Postfix

Any advise is welcome!

UDPATE, 2012-08-08

On alteration of the posftix configuration as folows and configuring the Potrgey service the spam level decayed 10 times

smtpd_recipient_restrictions = 
permit_mynetworks, 
permit_sasl_authenticated, 
reject_non_fqdn_hostname, 
reject_invalid_hostname, 
reject_non_fqdn_sender, 
reject_unknown_sender_domain, 
reject_non_fqdn_recipient, 
reject_unknown_recipient_domain, 
check_policy_service inet:127.0.0.1:10023, 
reject_rbl_client zen.spamhaus.org, 
check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf,
reject_unauth_pipelining, 
reject_unauth_destination

enter image description here

Igor
  • 193
  • 1
  • 1
  • 9

2 Answers2

6

You order of rules is very bad. If you want to keep all of them and not add anything else, the order must be:

smtpd_recipient_restrictions = 
permit_mynetworks, 
permit_sasl_authenticated, 
reject_unauth_pipelining, 
reject_invalid_hostname, 
reject_non_fqdn_sender, 
reject_unknown_sender_domain, 
reject_unauth_destination, 
reject_unknown_recipient_domain, 
reject_rbl_client zen.spamhaus.org,
check_recipient_access proxy:mysql:/etc/postfix/mysql-virtual_recipient.cf, 
reject_non_fqdn_recipient

And if that still is not enough then read about postscreen in http://www.postfix.org/POSTSCREEN_README.html.

mailq
  • 16,882
  • 2
  • 36
  • 66
  • sorry but does the order matter or not? in a sense postfix verifies at first "permit_mynetworks" and at last "reject_non_fqdn_recipient". – Igor Sep 16 '11 at 13:49
  • 1
    Definitively! Order matters. From left to right (or up to down). As described in http://www.postfix.org/SMTPD_ACCESS_README.html – mailq Sep 16 '11 at 23:19
  • It may also be a good idea to read this: https://www.postfix.org/ADDRESS_VERIFICATION_README.html when using `reject_unknown_recipient_domain` – B. Shea Oct 07 '20 at 01:37
5

I would suggest a smtpd_recipient_restrictions similar to the following:

smtpd_recipient_restrictions = 
  # Whitelisting or blacklisting:
  check_recipient_access proxy:mysql:/etc/postfix/mysql-virtual_recipient.cf,
  # Everyone should play after rules:
  reject_non_fqdn_recipient,
  reject_non_fqdn_sender,
  reject_unknown_recipient_domain,
  reject_unknown_sender_domain,
  reject_unauth_pipelining,
  # Mails from your users:
  permit_mynetworks,
  permit_sasl_authenticated,
  # This will block mails from domains with no reverse DNS record. Will affect both spam and ham mails, but mostly spam. 
  reject_unknown_reverse_client_hostname,
  # Instead of reject_unknown_reverse_client_hostname you can also use reject_unknown_client_hostname, which is an even harder rule. 
  # Reject ugly HELO/EHLO-hostnames (could also affect regular mails):
  reject_non_fqdn_hostname,
  reject_invalid_helo_hostname,
  # Reject everything you're not responsible for:
  reject_unauth_destination,
  # Only take mails for existing accounts:
  reject_unverified_recipient,
  # DNS lookups are "expensive", therefore should be at bottom
  reject_rbl_client zen.spamhaus.org

Detailed infos on smtpd_recipient_restrictions can be found here: http://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions

Maybe you also want to use postgrey, postscreen, postfwd or some other policy daemon.

And also check, that you are using your amavisd-new in pre-queue mode.

sebokopter
  • 716
  • 5
  • 11
  • 1
    This is bad. The second line blocks mail for any outbound recipient. So you are not able to send mails from your server to the outside world. MySQL queries are equally expensive as DNS queries. So you should also move MySQL queries to the bottom. – mailq Sep 16 '11 at 23:23