Difference between revisions of "CentOS 7.x Configure Postfix to block spam"
From Notes_Wiki
m |
m |
||
| Line 30: | Line 30: | ||
permit_sasl_authenticated, | permit_sasl_authenticated, | ||
reject_unauth_destination, | reject_unauth_destination, | ||
#reject_rbl_client all.s5h.net, Commented on 2020-03-20 as blocking tendertiger.com 'Client host [202.137.236.139] blocked using all.s5h.net' | |||
reject_rbl_client b.barracudacentral.org, | reject_rbl_client b.barracudacentral.org, | ||
reject_rbl_client bl.spamcop.net, | reject_rbl_client bl.spamcop.net, | ||
| Line 41: | Line 41: | ||
reject_rbl_client dnsbl.dronebl.org, | reject_rbl_client dnsbl.dronebl.org, | ||
reject_rbl_client dnsbl.inps.de, | reject_rbl_client dnsbl.inps.de, | ||
reject_rbl_client dnsbl.sorbs.net, | #reject_rbl_client dnsbl.sorbs.net, Commented on 2020-03-19 as blocking gmail 'Client host [209.85.210.173] blocked using dnsbl.sorbs.net' | ||
reject_rbl_client dnsbl.spfbl.net, | #reject_rbl_client dnsbl.spfbl.net, Commented on 2020-03-20 as has lot of false positives including our own mail servers 'Client host [3.222.142.115] blocked using dnsbl.spfbl.net' | ||
reject_rbl_client dsn.rfc-ignorant.org, | reject_rbl_client dsn.rfc-ignorant.org, | ||
reject_rbl_client duinv.aupads.org, | reject_rbl_client duinv.aupads.org, | ||
reject_rbl_client dul.dnsbl.sorbs.net, | reject_rbl_client dul.dnsbl.sorbs.net, | ||
reject_rbl_client http.dnsbl.sorbs.net | reject_rbl_client http.dnsbl.sorbs.net | ||
reject_rbl_client ips.backscatterer.org, | #reject_rbl_client ips.backscatterer.org, Commented on 2020-03-20 as blocking many client emails from Dell, IIT Tirupati, etc. 'Client host [209.85.210.196] blocked using ips.backscatterer.org' | ||
reject_rbl_client ix.dnsbl.manitu.net, | reject_rbl_client ix.dnsbl.manitu.net, | ||
reject_rbl_client korea.services.net, | reject_rbl_client korea.services.net, | ||
reject_rbl_client misc.dnsbl.sorbs.net, | reject_rbl_client misc.dnsbl.sorbs.net, | ||
reject_rbl_client multi.uribl.com, | #reject_rbl_client multi.uribl.com, Commented on 2020-03-20 as blocking Amazon SES 'Client host [54.240.27.14] blocked using multi.uribl.com' | ||
reject_rbl_client pbl.spamhaus.org, | reject_rbl_client pbl.spamhaus.org, | ||
reject_rbl_client proxy.bl.gweep.ca, | reject_rbl_client proxy.bl.gweep.ca, | ||
Revision as of 05:52, 20 March 2020
<yambe:breadcrumb>CentOS_7.x_postfix_configuration|CentOS 7.x postfix configuration</yambe:breadcrumb>
To block SPAM using postfix use:
- Edit /etc/postfix/main.cf and append this at bottom
#From https://www.howtoforge.com/block_spam_at_mta_level_postfix
smtpd_helo_required = yes
disable_vrfy_command = yes
strict_rfc821_envelopes = yes
invalid_hostname_reject_code = 554
multi_recipient_bounce_reject_code = 554
non_fqdn_reject_code = 554
relay_domains_reject_code = 554
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unknown_sender_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_sender_reject_code = 554
smtpd_recipient_restrictions =
reject_invalid_hostname,
reject_unknown_recipient_domain,
reject_unauth_pipelining,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
#reject_rbl_client all.s5h.net, Commented on 2020-03-20 as blocking tendertiger.com 'Client host [202.137.236.139] blocked using all.s5h.net'
reject_rbl_client b.barracudacentral.org,
reject_rbl_client bl.spamcop.net,
reject_rbl_client bogons.cymru.com,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client combined.rbl.msrbl.net,
reject_rbl_client dnsbl-1.uceprotect.net
reject_rbl_client dnsbl-2.uceprotect.net,
reject_rbl_client dnsbl-3.uceprotect.net,
reject_rbl_client dnsbl.dronebl.org,
reject_rbl_client dnsbl.inps.de,
#reject_rbl_client dnsbl.sorbs.net, Commented on 2020-03-19 as blocking gmail 'Client host [209.85.210.173] blocked using dnsbl.sorbs.net'
#reject_rbl_client dnsbl.spfbl.net, Commented on 2020-03-20 as has lot of false positives including our own mail servers 'Client host [3.222.142.115] blocked using dnsbl.spfbl.net'
reject_rbl_client dsn.rfc-ignorant.org,
reject_rbl_client duinv.aupads.org,
reject_rbl_client dul.dnsbl.sorbs.net,
reject_rbl_client http.dnsbl.sorbs.net
#reject_rbl_client ips.backscatterer.org, Commented on 2020-03-20 as blocking many client emails from Dell, IIT Tirupati, etc. 'Client host [209.85.210.196] blocked using ips.backscatterer.org'
reject_rbl_client ix.dnsbl.manitu.net,
reject_rbl_client korea.services.net,
reject_rbl_client misc.dnsbl.sorbs.net,
#reject_rbl_client multi.uribl.com, Commented on 2020-03-20 as blocking Amazon SES 'Client host [54.240.27.14] blocked using multi.uribl.com'
reject_rbl_client pbl.spamhaus.org,
reject_rbl_client proxy.bl.gweep.ca,
reject_rbl_client psbl.surriel.com,
reject_rbl_client rabl.nuclearelephant.com,
reject_rbl_client relays.bl.gweep.ca,
reject_rbl_client relays.nether.net,
reject_rbl_client sbl-xbl.spamhaus.org,
#reject_rbl_client sbl.spamhaus.org
reject_rbl_client smtp.dnsbl.sorbs.net,
reject_rbl_client socks.dnsbl.sorbs.net,
#reject_rbl_client spam.dnsbl.sorbs.net, Commented on 2020-03-19 as blocking gmail 'Client host [209.85.214.177] blocked using spam.dnsbl.sorbs.net'
reject_rbl_client spamsources.fabel.dk,
reject_rbl_client ubl.unsubscore.com,
reject_rbl_client web.dnsbl.sorbs.net,
#reject_rbl_client xbl.spamhaus.org,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client zombie.dnsbl.sorbs.net,
permit
- Followed by systemctl restart postfix
Look at /var/log/maillog and send test emails from other domains to these email server. Ensure that legitimate senders are not getting rejected.
Ideally dnsbl.sorbs.net should not be commented to allow a sender. In such cases use reference links given later to understand how to create exceptions for rbl using
"check_client_access hash:/etc/postfix/rbl_client_exceptions,"
configuration before rbl checks. Note that file /etc/posfix/rbl_client/exceptions must be hashed using postmap after every change, for new changes to take effect.
Also refer to Blocking_SPAM_at_MTA_level_in_postfix to understand how DNSBL queries can be made using dig.
Refer:
- https://www.howtoforge.com/block_spam_at_mta_level_postfix
- https://www.howtoforge.com/virtual_postfix_antispam
<yambe:breadcrumb>CentOS_7.x_postfix_configuration|CentOS 7.x postfix configuration</yambe:breadcrumb>
