CentOS 7.x Configure Postfix to block spam

<yambe:breadcrumb>CentOS_7.x_postfix_configuration|CentOS 7.x postfix configuration</yambe:breadcrumb>

To block SPAM using postfix use:

• Edit /etc/postfix/main.cf and append this at bottom

#From https://www.howtoforge.com/block_spam_at_mta_level_postfix
smtpd_helo_required = yes
disable_vrfy_command = yes
strict_rfc821_envelopes = yes
invalid_hostname_reject_code = 554
multi_recipient_bounce_reject_code = 554
non_fqdn_reject_code = 554
relay_domains_reject_code = 554
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unknown_sender_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_sender_reject_code = 554

smtpd_recipient_restrictions =
            reject_invalid_hostname,
            reject_unknown_recipient_domain,
            reject_unauth_pipelining,
            permit_mynetworks,
            permit_sasl_authenticated,
            reject_unauth_destination,
#            reject_rbl_client multi.uribl.com,
            reject_rbl_client dsn.rfc-ignorant.org,
            reject_rbl_client dul.dnsbl.sorbs.net,
#            reject_rbl_client list.dsbl.org,
            reject_rbl_client sbl-xbl.spamhaus.org,
            reject_rbl_client bl.spamcop.net,
#            reject_rbl_client dnsbl.sorbs.net,
            reject_rbl_client cbl.abuseat.org,
            reject_rbl_client ix.dnsbl.manitu.net,
            reject_rbl_client combined.rbl.msrbl.net,
            reject_rbl_client rabl.nuclearelephant.com,
            permit   

• Followed by systemctl restart postfix

Look at /var/log/maillog and send test emails from other domains to these email server. Ensure that legitimate senders are not getting rejected.

Ideally dnsbl.sorbs.net should not be commented to allow a sender. In such cases use reference links given later to understand how to create exceptions for rbl using

"check_client_access hash:/etc/postfix/rbl_client_exceptions," 

configuration before rbl checks. Note that file /etc/posfix/rbl_client/exceptions must be hashed using postmap after every change, for new changes to take effect.

Also refer to Blocking_SPAM_at_MTA_level_in_postfix to understand how DNSBL queries can be made using dig.

Refer:

• https://www.howtoforge.com/block_spam_at_mta_level_postfix
• https://www.howtoforge.com/virtual_postfix_antispam

<yambe:breadcrumb>CentOS_7.x_postfix_configuration|CentOS 7.x postfix configuration</yambe:breadcrumb>