Postfix Anti-Spam Example

Now that we've covered the many aspects of Postfix's anti-spam arsenal, we'll finish with an example configuration. Requirements vary considerably from site to site, so it's impossible to make actual recommendations apart from the considerations that have been discussed in this chapter. Example 11-2 can provide a starting point, but you must decide for yourself which restrictions fit your own circumstances.

Example 11-2. Sample restrictions to block UBE

smtpd_restriction_classes =
 spamlover
 spamhater

spamhater =
 reject_invalid_hostname
 reject_non_fqdn_hostname
 reject_unknown_sender_domain
 reject_rbl_client nospam.example.com

spamlover = permit

smtpd_helo_required = yes
smtpd_client_restrictions =
 check_client_access hash:/etc/postfix/client_access
smtpd_helo_restrictions =
 reject_invalid_hostname
 check_helo_access hash:/etc/postfix/helo_access
smtpd_sender_restrictions =
 reject_non_fqdn_sender
 reject_unknown_sender_domain
 check_sender_access hash:/etc/postfix/sender_access
smtpd_recipient_restrictions =
 permit_mynetworks
 reject_unauth_destination
 reject_non_fqdn_recipient
 reject_unknown_recipient_domain
smtpd_data_restrictions =
 reject_unauth_pipelining
header_checks = /etc/postfix/header_checks
body_checks = /etc/postfix/body_checks

You should enter IP and email addresses into the access tables from messages you receive that you have identified as spam. It's very difficult to block a lot of spam with the check_helo_access and check_sender_access restrictions because it's so easy for spammers to fake that information. There is effectively an unlimited number of addresses and hostnames spammers might use. This makes it nearly impossible to keep up with them. Since it's so easy to fake this information, you might be blocking legitimate hosts and addresses that just have the bad luck of having their information used by spammers.

But these checks can be useful against messages that repeatedly use the same forged information and spammers that don't attempt to cover their tracks. Some online marketing services use their real information when sending spam. These sites might even honor removal requests, but if you object to having to request a removal from companies you've never heard of, you can block them based on the HELO or MAIL FROM information.

You can also block sites that you don't want to hear from whether they're real or fake. Mail from a site you consider objectionable is one example. Also, if you believe it's impossible that you would be receiving messages from the Republic of Maldives, you could block addresses and hostnames using the Republic of Maldive's top-level domain. Keep in mind, however, if you run a mail system for many users, you probably shouldn't force your own moral attitude on everyone, or assume your users don't have Maldivian relatives or a special interest in the cuisine.