Difference between revisions of "CentOS 7.x Configure Postfix to block spam"

From Notes_Wiki
m
m
Line 17: Line 17:
unknown_local_recipient_reject_code = 554
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unknown_sender_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unknown_virtual_mailbox_reject_code = 554

Revision as of 10:56, 21 May 2022

<yambe:breadcrumb>CentOS_7.x_postfix_configuration|CentOS 7.x postfix configuration</yambe:breadcrumb>

To block SPAM using postfix use:

  • Edit /etc/postfix/main.cf and append this at bottom
#From https://www.howtoforge.com/block_spam_at_mta_level_postfix
smtpd_helo_required = yes
disable_vrfy_command = yes
strict_rfc821_envelopes = yes
invalid_hostname_reject_code = 554
multi_recipient_bounce_reject_code = 554
non_fqdn_reject_code = 554
relay_domains_reject_code = 554
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_sender_reject_code = 554

smtpd_recipient_restrictions =
            reject_invalid_hostname,
            reject_unknown_recipient_domain,
            reject_unauth_pipelining,
            permit_mynetworks,
            permit_sasl_authenticated,
            reject_unauth_destination,
           #reject_rbl_client all.s5h.net,  Commented on 2020-03-20 as blocking tendertiger.com 'Client host [202.137.236.139] blocked using all.s5h.net'
            reject_rbl_client b.barracudacentral.org,
            reject_rbl_client bl.spamcop.net,
            reject_rbl_client bogons.cymru.com,
            reject_rbl_client cbl.abuseat.org,
            reject_rbl_client combined.rbl.msrbl.net,
           #reject_rbl_client dnsbl-1.uceprotect.net,   Commented on 2020-05-05 as blocking railtelindia.com 'Client host [203.153.43.130] blocked using dnsbl-1.uceprotect.net; IP...3.43.130 is UCEPROTECT-Level 1 listed'
           #reject_rbl_client dnsbl-2.uceprotect.net,   Commented on 2020-08-28 as blocking cgg, indiamart and a few other customers
           #reject_rbl_client dnsbl-3.uceprotect.net,   Commented on 2020-04-28 blocking cgg.gov.in 'Client host [112.133.222.124] blocked using dnsbl-3.uceprotect.net; Your ISP RAILTEL-AS-IN RailTel Corporation of India Ltd., Internet Service Provider, New Delhi, IN/AS24186 is UCEPROTECT-Level3 listed for hosting a total of 104 abusers.
            reject_rbl_client dnsbl.dronebl.org,
            reject_rbl_client dnsbl.inps.de,
            #reject_rbl_client dnsbl.sorbs.net,   Commented on 2020-03-19 as blocking gmail 'Client host [209.85.210.173] blocked using dnsbl.sorbs.net'
            #reject_rbl_client dnsbl.spfbl.net,   Commented on 2020-03-20 as has lot of false positives including our own mail servers 'Client host [3.222.142.115] blocked using dnsbl.spfbl.net'
            reject_rbl_client dsn.rfc-ignorant.org,
            reject_rbl_client duinv.aupads.org,
            reject_rbl_client dul.dnsbl.sorbs.net,
            reject_rbl_client http.dnsbl.sorbs.net
            #reject_rbl_client ips.backscatterer.org,  Commented on 2020-03-20 as blocking many client emails from Dell, IIT Tirupati, etc. 'Client host [209.85.210.196] blocked using ips.backscatterer.org'
            reject_rbl_client ix.dnsbl.manitu.net,
            reject_rbl_client korea.services.net,
            reject_rbl_client misc.dnsbl.sorbs.net,
            #reject_rbl_client multi.uribl.com,  Commented on 2020-03-20 as blocking Amazon SES 'Client host [54.240.27.14] blocked using multi.uribl.com'
            reject_rbl_client pbl.spamhaus.org,
            reject_rbl_client proxy.bl.gweep.ca,
            reject_rbl_client psbl.surriel.com,
            reject_rbl_client rabl.nuclearelephant.com,
            reject_rbl_client relays.bl.gweep.ca,
            reject_rbl_client relays.nether.net,
            reject_rbl_client sbl-xbl.spamhaus.org,
            #reject_rbl_client sbl.spamhaus.org
            reject_rbl_client smtp.dnsbl.sorbs.net,
            reject_rbl_client socks.dnsbl.sorbs.net,
            #reject_rbl_client spam.dnsbl.sorbs.net, Commented on 2020-03-19 as blocking gmail 'Client host [209.85.214.177] blocked using spam.dnsbl.sorbs.net'
            reject_rbl_client spamsources.fabel.dk,
            #reject_rbl_client ubl.unsubscore.com,   Commented on 2020-03-20 as it is blocking O365 (Natco, VMWare, etc.)
            reject_rbl_client web.dnsbl.sorbs.net,
            #reject_rbl_client xbl.spamhaus.org,
            reject_rbl_client zen.spamhaus.org,
            reject_rbl_client zombie.dnsbl.sorbs.net,
            permit   
  • Followed by systemctl restart postfix

Look at /var/log/maillog and send test emails from other domains to these email server. Ensure that legitimate senders are not getting rejected.

Ideally dnsbl.sorbs.net should not be commented to allow a sender. In such cases use reference links given later to understand how to create exceptions for rbl using

"check_client_access hash:/etc/postfix/rbl_client_exceptions," 

configuration before rbl checks. Note that file /etc/posfix/rbl_client/exceptions must be hashed using postmap after every change, for new changes to take effect.

Also refer to Blocking_SPAM_at_MTA_level_in_postfix to understand how DNSBL queries can be made using dig.

Refer:


<yambe:breadcrumb>CentOS_7.x_postfix_configuration|CentOS 7.x postfix configuration</yambe:breadcrumb>