gtepenier
asked on
Best settings for antispam / Postfix
Hello,
last week my mail server has been put on blacklist, mainly because of bounces and automatic replies (holidays ...).
I've changed a few settings and I'm not sure they are very good.
I use postfix 1.1.11 on a debian server (Linux mail 2.2.19) and exchange 2003.
Here is the result of postconf -n:
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
allow_percent_hack = no
biff = no
body_checks = pcre:/etc/postfix/body_che cks
canonical_maps = hash:/etc/postfix/canonica l
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = avcheck
daemon_directory = /usr/lib/postfix
debug_peer_level = 2
default_destination_concur rency_limi t = 10
delay_warning_time = 2h
disable_vrfy_command = yes
header_checks = pcre:/etc/postfix/header_c hecks
local_destination_concurre ncy_limit = 2
maps_rbl_domains = cbl.abuseat.org, bl.spamcop.net, dnsbl.sorb.net, zen.spamhaus.org
maximal_queue_lifetime = 5d
message_size_limit = 35971520
mydestination = $myhostname, localhost.$mydomain, $mydomain
mydomain = xxx.fr
myhostname = mail.xxx.fr
mynetworks = 192.168.0.0/24, 127.0.0.0/8, 172.16.0.0/24
myorigin = $mydomain
program_directory = /usr/lib/postfix
relay_domains = xxx.fr xxx.com
smtp_data_xfer_timeout = 240s
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, check_client_access hash:/etc/postfix/access_s ender
smtpd_recipient_restrictio ns = reject_invalid_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_doma in, reject_unknown_recipient_d omain, reject_unauth_pipelining, permit_mynetworks, reject_unauth_destination, check_recipient_access regexp:/etc/postfix/access , check_sender_access hash:/etc/postfix/access_s ender, reject_maps_rbl, permit
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/access_s ender, reject_maps_rbl, reject_unknown_sender_doma in, permit
swap_bangpath = no
transport_maps = hash:/etc/postfix/transpor t
body_checks:
#Pflogsumm log Accept
/^ {6,11}[[:digit:]]{1,6}[ km] / OK
/^[> ]*Received: +from +(relay-2\.mail\.demon\.ne t)/ REJECT
/^[> ]*Received: +from +(relay-1\.mail\.demon\.ne t)/ REJECT
/^[> ]*Received: +from +(brutele\.net)/ REJECT
/^[> ]*Received: +from +(bacgroup\.com)/ REJECT
# Some basic antivirus checks
/^Content-Disposition:atta chment;fil ename=\".* \.(doc|zip |exe|xls|j pg|gif)\.( pif|bat|co m|exe|lnk) \"$/ REJECT
/^Content-Disposition:atta chment;fil ename=.*\. (doc|zip|e xe|xls|jpg |gif)\.(pi f|bat|com| exe|lnk)$/ REJECT
# Common virus extensions that most people wouldnt send legitamitely
/(filename|name)=".*\.(asd |chm|hlp|h ta|ocx|pif |bat)"/ REJECT
/(filename|name)=.*\.(asd| chm|hlp|ht a|ocx|pif| bat)/ REJECT
/(filename|name)=".*\.(scr |shb|shs|v b|vbe|vbs| wsf|wsh)"/ REJECT
/(filename|name)=.*\.(scr| shb|shs|vb |vbe|vbs|w sf|wsh)/ REJECT
/(filename)=".*\.(com)"/ REJECT
/(filename)=.*\.(com)/ REJECT
# Bugbear virus
/(filename|name)=".*\.(.*) \.(pif|scr |bat|com|e xe|lnk)"$/ REJECT
/(filename|name)=.*\.(.*)\ .(pif|scr| bat|com|ex e|lnk)$/ REJECT
header_checks:
/^Subject.* CNN Alerts: My Custom Alert */ REJECT
/^Subject.* Inscrivez-vous a Fiesta Club */ REJECT
/^Subject.* First Casino est le leader français des casinos en ligne */ REJECT
/^Subject.* Demandez votre bonus GRATUIT */ REJECT
/^Subject.* I LOVE YOU */ REJECT
/^Subject.* viagra */ REJECT
/^Subject.* cialis */ REJECT
/^Subject.* penis */ REJECT
/^Subject.* life ins */ REJECT
/^Subject.* your prescription */ REJECT
/^Subject.* blue pill */ REJECT
/^Subject.* health insurance */ REJECT
/^Subject.* order med */ REJECT
/^Subject.* rejuvenate */ REJECT
/^Subject.* prescription */ REJECT
/^Subject.* get med */ REJECT
/^Subject.* xanax */ REJECT
/^Subject.* save on term*/ REJECT
/^Subject.* lose weight */ REJECT
/^Subject.* all-natural */ REJECT
/^Subject.* inches */ REJECT
/^Subject.* check it out */ REJECT
/^Subject.* check this out */ REJECT
/^Subject.* degree program */ REJECT
/^Subject.* enhanced pill */ REJECT
/^Subject.* cash out */ REJECT
/^Subject.* popish */ REJECT
/^Subject.* dogwood */ REJECT
/^Subject.* cokleblur*/ REJECT
/^Subject.* blurb */ REJECT
/^Subject.* all drugs */ REJECT
/^Subject.* your willy */ REJECT
/^Subject.* big money */ REJECT
/^Subject.* masochist */ REJECT
/^Subject.* pain medication */ REJECT
/^Subject.* get the job */ REJECT
/^Subject.* pnarmacy */ REJECT
Do you see any possible improvments?
Regards,
Gilles
last week my mail server has been put on blacklist, mainly because of bounces and automatic replies (holidays ...).
I've changed a few settings and I'm not sure they are very good.
I use postfix 1.1.11 on a debian server (Linux mail 2.2.19) and exchange 2003.
Here is the result of postconf -n:
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
allow_percent_hack = no
biff = no
body_checks = pcre:/etc/postfix/body_che
canonical_maps = hash:/etc/postfix/canonica
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = avcheck
daemon_directory = /usr/lib/postfix
debug_peer_level = 2
default_destination_concur
delay_warning_time = 2h
disable_vrfy_command = yes
header_checks = pcre:/etc/postfix/header_c
local_destination_concurre
maps_rbl_domains = cbl.abuseat.org, bl.spamcop.net, dnsbl.sorb.net, zen.spamhaus.org
maximal_queue_lifetime = 5d
message_size_limit = 35971520
mydestination = $myhostname, localhost.$mydomain, $mydomain
mydomain = xxx.fr
myhostname = mail.xxx.fr
mynetworks = 192.168.0.0/24, 127.0.0.0/8, 172.16.0.0/24
myorigin = $mydomain
program_directory = /usr/lib/postfix
relay_domains = xxx.fr xxx.com
smtp_data_xfer_timeout = 240s
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, check_client_access hash:/etc/postfix/access_s
smtpd_recipient_restrictio
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/access_s
swap_bangpath = no
transport_maps = hash:/etc/postfix/transpor
body_checks:
#Pflogsumm log Accept
/^ {6,11}[[:digit:]]{1,6}[ km] / OK
/^[> ]*Received: +from +(relay-2\.mail\.demon\.ne
/^[> ]*Received: +from +(relay-1\.mail\.demon\.ne
/^[> ]*Received: +from +(brutele\.net)/ REJECT
/^[> ]*Received: +from +(bacgroup\.com)/ REJECT
# Some basic antivirus checks
/^Content-Disposition:atta
/^Content-Disposition:atta
# Common virus extensions that most people wouldnt send legitamitely
/(filename|name)=".*\.(asd
/(filename|name)=.*\.(asd|
/(filename|name)=".*\.(scr
/(filename|name)=.*\.(scr|
/(filename)=".*\.(com)"/ REJECT
/(filename)=.*\.(com)/ REJECT
# Bugbear virus
/(filename|name)=".*\.(.*)
/(filename|name)=.*\.(.*)\
header_checks:
/^Subject.* CNN Alerts: My Custom Alert */ REJECT
/^Subject.* Inscrivez-vous a Fiesta Club */ REJECT
/^Subject.* First Casino est le leader français des casinos en ligne */ REJECT
/^Subject.* Demandez votre bonus GRATUIT */ REJECT
/^Subject.* I LOVE YOU */ REJECT
/^Subject.* viagra */ REJECT
/^Subject.* cialis */ REJECT
/^Subject.* penis */ REJECT
/^Subject.* life ins */ REJECT
/^Subject.* your prescription */ REJECT
/^Subject.* blue pill */ REJECT
/^Subject.* health insurance */ REJECT
/^Subject.* order med */ REJECT
/^Subject.* rejuvenate */ REJECT
/^Subject.* prescription */ REJECT
/^Subject.* get med */ REJECT
/^Subject.* xanax */ REJECT
/^Subject.* save on term*/ REJECT
/^Subject.* lose weight */ REJECT
/^Subject.* all-natural */ REJECT
/^Subject.* inches */ REJECT
/^Subject.* check it out */ REJECT
/^Subject.* check this out */ REJECT
/^Subject.* degree program */ REJECT
/^Subject.* enhanced pill */ REJECT
/^Subject.* cash out */ REJECT
/^Subject.* popish */ REJECT
/^Subject.* dogwood */ REJECT
/^Subject.* cokleblur*/ REJECT
/^Subject.* blurb */ REJECT
/^Subject.* all drugs */ REJECT
/^Subject.* your willy */ REJECT
/^Subject.* big money */ REJECT
/^Subject.* masochist */ REJECT
/^Subject.* pain medication */ REJECT
/^Subject.* get the job */ REJECT
/^Subject.* pnarmacy */ REJECT
Do you see any possible improvments?
Regards,
Gilles
Have a look at http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:postfix:how_to:reject_non_existent_users&s=recipient%20verification and make sure you are using recipient verification so that you dont accept mail for unknown users. If you do then your server will create NDR's when it tries to forward the email onto exchange and this is probably what is getting you on the blacklist.
ASKER
Thanks for the answer. My setup looks a lot like what's written on this wiki. As I have a postfix 1.1.11 and not 2.x, I can't set some parameters (verify for example).
Any other advices, please?
GT
Any other advices, please?
GT
Honestly I think the best advice would be to upgrade your antispam server. That version of postfix is very old and if you antispam software is anything like as old it certenly wont be working nearly as good as a modern version will.
I would run Centos instead of debian as it is more commercially stable. Debian have been known not to update certain packages which causes incompatibilities at a later date.
http://www.gbnetwork.co.uk/mailscanner/ Is my guide to what software to use in order to get a very effective spam and virus filter (well over 99.5% detection rate for us)
I would run Centos instead of debian as it is more commercially stable. Debian have been known not to update certain packages which causes incompatibilities at a later date.
http://www.gbnetwork.co.uk/mailscanner/ Is my guide to what software to use in order to get a very effective spam and virus filter (well over 99.5% detection rate for us)
ASKER
Sadly, I don't have the time and ressources to set a completely new server. I need to use this one until late september, when I migrate to an hosted server.
You don't find something stupid in my setup?
Regards,
Gilles
You don't find something stupid in my setup?
Regards,
Gilles
I cant see anything wrong as such. The fact that you are accepting all email for permitted domains and then generating NDRs for non existing users is probably why you are on blacklists.
I see you are using zen.spanhaus.org. Be aware that for even relativly small companies they tend to block you if they thing you are using their free service too much and this results in DNS timeouts which can slow email reception.
Normally companies have to pay for a datafeed subscription
I see you are using zen.spanhaus.org. Be aware that for even relativly small companies they tend to block you if they thing you are using their free service too much and this results in DNS timeouts which can slow email reception.
Normally companies have to pay for a datafeed subscription
ASKER
zen is really powerfull. As long as it works, I'll use it for free. Then, I'll pay for it.
Also, in smtpd_recipient_restrictio ns, I use permit_mynetworks but I also check recipients using check_recipient_access. Even so, you thing I am accepting all email for permitted domains and then generating NDRs for non existing users? How can I fix that, because I think the problem lies here.
Regards,
Gilles
Also, in smtpd_recipient_restrictio
Regards,
Gilles
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.