Link to home
Create AccountLog in
Avatar of gtepenier
gtepenier

asked on

Best settings for antispam / Postfix

Hello,

last week my mail server has been put on blacklist, mainly because of bounces and automatic replies (holidays ...).
I've changed a few settings and I'm not sure they are very good.
I use postfix 1.1.11 on a debian server (Linux mail 2.2.19) and exchange 2003.

Here is the result of postconf -n:

alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
allow_percent_hack = no
biff = no
body_checks = pcre:/etc/postfix/body_checks
canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = avcheck
daemon_directory = /usr/lib/postfix
debug_peer_level = 2
default_destination_concurrency_limit = 10
delay_warning_time = 2h
disable_vrfy_command = yes
header_checks = pcre:/etc/postfix/header_checks
local_destination_concurrency_limit = 2
maps_rbl_domains = cbl.abuseat.org, bl.spamcop.net, dnsbl.sorb.net, zen.spamhaus.org
maximal_queue_lifetime = 5d
message_size_limit = 35971520
mydestination = $myhostname, localhost.$mydomain, $mydomain
mydomain = xxx.fr
myhostname = mail.xxx.fr
mynetworks = 192.168.0.0/24, 127.0.0.0/8, 172.16.0.0/24
myorigin = $mydomain
program_directory = /usr/lib/postfix
relay_domains = xxx.fr xxx.com
smtp_data_xfer_timeout = 240s
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, check_client_access hash:/etc/postfix/access_sender
smtpd_recipient_restrictions = reject_invalid_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, reject_unauth_destination, check_recipient_access regexp:/etc/postfix/access, check_sender_access hash:/etc/postfix/access_sender, reject_maps_rbl, permit
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/access_sender, reject_maps_rbl, reject_unknown_sender_domain, permit
swap_bangpath = no
transport_maps = hash:/etc/postfix/transport
 
body_checks:
#Pflogsumm log Accept
/^ {6,11}[[:digit:]]{1,6}[ km] /    OK
/^[> ]*Received: +from +(relay-2\.mail\.demon\.net)/ REJECT
/^[> ]*Received: +from +(relay-1\.mail\.demon\.net)/ REJECT
/^[> ]*Received: +from +(brutele\.net)/ REJECT
/^[> ]*Received: +from +(bacgroup\.com)/ REJECT
# Some basic antivirus checks
/^Content-Disposition:attachment;filename=\".*\.(doc|zip|exe|xls|jpg|gif)\.(pif|bat|com|exe|lnk)\"$/   REJECT
/^Content-Disposition:attachment;filename=.*\.(doc|zip|exe|xls|jpg|gif)\.(pif|bat|com|exe|lnk)$/       REJECT
# Common virus extensions that most people wouldnt send legitamitely
/(filename|name)=".*\.(asd|chm|hlp|hta|ocx|pif|bat)"/        REJECT
/(filename|name)=.*\.(asd|chm|hlp|hta|ocx|pif|bat)/        REJECT
/(filename|name)=".*\.(scr|shb|shs|vb|vbe|vbs|wsf|wsh)"/        REJECT
/(filename|name)=.*\.(scr|shb|shs|vb|vbe|vbs|wsf|wsh)/        REJECT
/(filename)=".*\.(com)"/                           REJECT
/(filename)=.*\.(com)/                           REJECT
# Bugbear virus
/(filename|name)=".*\.(.*)\.(pif|scr|bat|com|exe|lnk)"$/        REJECT
/(filename|name)=.*\.(.*)\.(pif|scr|bat|com|exe|lnk)$/        REJECT

header_checks:
/^Subject.* CNN Alerts: My Custom Alert */ REJECT
/^Subject.* Inscrivez-vous a Fiesta Club */ REJECT
/^Subject.* First Casino est le leader français des casinos en ligne */ REJECT
/^Subject.* Demandez votre bonus GRATUIT */ REJECT
/^Subject.* I LOVE YOU */ REJECT
/^Subject.* viagra */ REJECT
/^Subject.* cialis */ REJECT
/^Subject.* penis */ REJECT
/^Subject.* life ins */ REJECT
/^Subject.* your prescription */ REJECT
/^Subject.* blue pill */ REJECT
/^Subject.* health insurance */ REJECT
/^Subject.* order med */ REJECT
/^Subject.* rejuvenate */ REJECT
/^Subject.* prescription */ REJECT
/^Subject.* get med */ REJECT
/^Subject.* xanax */ REJECT
/^Subject.* save on term*/ REJECT
/^Subject.* lose weight */ REJECT
/^Subject.* all-natural */ REJECT
/^Subject.* inches */ REJECT
/^Subject.* check it out */ REJECT
/^Subject.* check this out */ REJECT
/^Subject.* degree program */ REJECT
/^Subject.* enhanced pill */ REJECT
/^Subject.* cash out */ REJECT
/^Subject.* popish */ REJECT
/^Subject.* dogwood */ REJECT
/^Subject.* cokleblur*/ REJECT
/^Subject.* blurb */ REJECT
/^Subject.* all drugs  */ REJECT
/^Subject.* your willy */ REJECT
/^Subject.* big money */ REJECT
/^Subject.* masochist */ REJECT
/^Subject.* pain medication */ REJECT
/^Subject.* get the job */ REJECT
/^Subject.* pnarmacy */ REJECT

Do you see any possible improvments?

Regards,
Gilles
Avatar of grblades
grblades
Flag of United Kingdom of Great Britain and Northern Ireland image

Have a look at http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:postfix:how_to:reject_non_existent_users&s=recipient%20verification and make sure you are using recipient verification so that you dont accept mail for unknown users. If you do then your server will create NDR's when it tries to forward the email onto exchange and this is probably what is getting you on the blacklist.
Avatar of gtepenier
gtepenier

ASKER

Thanks for the answer. My setup looks a lot like what's written on this wiki. As I have a postfix 1.1.11 and not 2.x, I can't set some parameters (verify for example).
Any other advices, please?

GT
Honestly I think the best advice would be to upgrade your antispam server. That version of postfix is very old and if you antispam software is anything like as old it certenly wont be working nearly as good as a modern version will.

I would run Centos instead of debian as it is more commercially stable. Debian have been known not to update certain packages which causes incompatibilities at a later date.

http://www.gbnetwork.co.uk/mailscanner/ Is my guide to what software to use in order to get a very effective spam and virus filter (well over 99.5% detection rate for us)
Sadly, I don't have the time and ressources to set a completely new server. I need to use this one until late september, when I migrate to an hosted server.
You don't find something stupid in my setup?

Regards,
Gilles
I cant see anything wrong as such. The fact that you are accepting all email for permitted domains and then generating NDRs for non existing users is probably why you are on blacklists.

I see you are using zen.spanhaus.org. Be aware that for even relativly small companies they tend to block you if they thing you are using their free service too much and this results in DNS timeouts which can slow email reception.
Normally companies have to pay for a datafeed subscription
zen is really powerfull. As long as it works, I'll use it for free. Then, I'll pay for it.
Also, in smtpd_recipient_restrictions, I use  permit_mynetworks but I also check recipients using check_recipient_access. Even so, you thing I am accepting all email for permitted domains and then generating NDRs for non existing users? How can I fix that, because I think the problem lies here.

Regards,
Gilles
ASKER CERTIFIED SOLUTION
Avatar of grblades
grblades
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer