postfix logo Postfix-jp
- Anti-spam on Postfix
Modified: Nov. 26, 2003 [Japanese Page]


Home > Anti-spam on Postfix


This is a translation of my Japanese page that discribes how to prevent from illegal use of mail server and how to deny illegally relayed mails. Some descriptions are removed because they are Japanese specific.


Postfix is said to be securere MTA than sendmail, but it would be easily changed to a dangerous mass-spam producer because the configuration is very easy. Then you need to configure your mail server carefully.


IN EMARGENCY

If you notice that your Postfix is sending too many mails or it waste resources of the host abnormally, use

# postfix abort

command to kill any Postfix processes. `postfix stop' will continue processes in progress.


To prevent 3rd-party mail relays

In default, Postfix relays mails only from/to $mynetworks and $relay_domains. To prevent 3rd-party relays, you should configure these two parameters correctly. If some hosts specified in these parameters allow 3rd-party relays, any other configuration would be nonsense because Postfix absolutely relies on any hosts in those parameters.

If you would like to send a mail from outside of your network, the server would be required to relay your mail. In such case, you should configure Postfix to relay mails from specific users as described in "To require authentications for SMTP connections from out of the network". It is not impossible to specify IP addresses/hostnames to relay mails from a certain host out of $mynetworks. But it is not recommended, because you can't stop spam mail relays posted by someone who is a member of an ISP you specified in the parameters, and IP address or host names may be forged. Relay check depending on sender addresses has no meaning.

Postfix has many other parameters to handle illegal client. You should configure carefully because you would reject necessary mails from a host configured wrongly. In paticular, so many clients send wrong HELO host name. If you restrict wrong HELO, you may not accept mails from your friend or customer. Most of related parameters are in "UCE RESTRICTIONS" and "ADDITIONAL UCE CONTROLS" section of sample-smtpd.cf.

It may be better not to change parameters in smtpd_*_restrictions until you appreciate the meaning of these parameters.


To check 3rd-party relays

To check if your Postfix can reject 3rd-party relays, type

% telnet relay-test.mail-abuse.org

on your server. The site will access your server and do about 20 relay checks. Don't check hosts out of your control, Try only your server. And some administrator don't like to be checked like this. Do at your own risk.

To pass all the test, Postfix version 19991229 or later is required. Earlier version of Postfix can't pass these check because of its design. It is no problem in most case (if the server once receives a mail, then treat it as an error), but to make sure, I recommend you to upgrade your server to pass all checks.

Similar checks are available at http://www.rbl.jp/svcheck.php, http://www.abuse.net/relay.html and http://www.paladincorp.com.au/unix/spam/spamlart/. RBL.jp provides checks almost as same as relay-test.mail-abuse.org. Abuse.net checks relays with real mails if you have a registration. Paladincorp.com.au seems to check about 70 items (info from [postfix-jp:02195]).

These checks insure just a minimum level. It is not always true that it has no problem.

BTW, option -bt of sendmail-package won't be recognized by Postfix sendmail command. To check Postfix configuration syntax, type:

# postfix check

but it can't check rules of sender name or client hosts.


To require authentications for SMTP connections from outside of the network

With configurations that rejects 3rd-party relays, you may have a problem that you can't send a mail from outside. To solve the problem, you may want to configure Postfix to require authentications when someone sends a mail from outside of the network not to your domain.

There are two methods to authenticate: one is with SMTP Auth, and another is with POP before SMTP. POP before SMTP doesn't need special feature, all have to do is to ask users to check mails via POP3 before sending mails. SMTP Auth requires clients to be implemented the feature.

In Postfix, SMTP Auth is supported on snapshot 20000507 or later. Also supported on Sendmail 8.10 or later. I'm not familiar with SMTP Auth, but I succeeded in using it on snapshot 20000531, and I reported it on my install record (in Japanese). And SMTP Auth supporting mailers for Windows are introduced on Taki Internet Mail Private Lab. (In Japanese).

POP before SMTP is that a daemon monitors a log produced by POP/IMAP server, and tells SMTP server a host which is authenticated in order to allow relays in few minutes.


Using black-list

There are so many hosts on the internet, and no small number of hosts allows 3rd-party mail relay. To reject mails relayed by such a host, some sites disclosed blacklist of open-relay hosts.

If you use hosts domain.tld publishing these blacklists, add reject_rbl_client domain.tld into $smtpd_client_restrictions parameter. Then postfix rejects mails from domains listed on the list of domain.tld.

But in case your customer's domain is on the list, you may not get important mails and may cause trouble in your business. If you use the blacklist, you should monitor mail logs.

In recently, some such services are stopped or changed their service host name suddenly. When a service in $maps_rbl_domains is stopped, Postfix may be forced to wait until timeout or it may block any mails because of wrong reply from the blacklist server. If you use RBL, you should get information of the service continuously.

[main.cf]

smtpd_client_restrictions = permit_mynetworks,
    reject_rbl_client relays.ordb.org,
    reject_rbl_client sbl.spamhaus.org,
    permit

Specialties of each database site is on RBL-Type Services.


How to make your own list.

To make your own blacklist of hosts and/or domains, create a map file like:

[/etc/postfix/reject_access_map]
    domain1.name REJECT
    domain2.name OK
    domain3.name REJECT

and specify the map file in $check_client_access parameter like:

[main.cf]
    smtpd_client_restrictions = permit_mynetworks,
        check_client_access hash:/etc/postfix/reject_access_map,
        permit

The database of the map file should be created with postmap /etc/postfix/reject_access_map command.

To reject specific sender addresses, specify a map file in $smtpd_sender_restrictions parameter as above.

Postfix can't reject SMTP connections from specific clients. To reject connections from specific clients, you need to use a packet filtering software like ipfw or ipfilter.



ike@kobitosan.net