"ISPConfig 3 тохируулсан серверт Postfix-ын хамгаалалт тохируулах"-ны өөр хувилбарууд
Дусал нэвтэрхий толь-с
| 1-р мөр: | 1-р мөр: | ||
| − | |||
| − | + | == Reverse DNS, (DNS PTR Record) == | |
| − | |||
| − | |||
| − | |||
| − | + | Удирдлагын самбартай бол самбараас, үгүй бол холбогдоод тохиргоогоо хийлгэнэ. Доорх байдлаар шалгаж болно. | |
| − | + | <pre> | |
| − | + | root@server / # host 124.158.124.36 | |
| − | + | 59.124.158.124.in-addr.arpa domain name pointer server6.dusal.net. | |
| + | </pre> | ||
| − | + | Тохиргоо хийсний дараа хугацаа шаардлагатай. | |
| − | + | ||
| − | |||
| − | |||
| − | |||
| − | + | == Домэйн нэрийн SPF тохиргоо (DNS TXT Record) == | |
| − | + | SPF бол тухайн домэйн нэрийн эзэмшигч нь DNS тохиргоогоороо тухайн домэйнээс мэйл илгээх боломжтой серверүүдийн тохиргоог зааж ѳгдѳг. | |
| + | ISPConfig 3 дээр DNS хэсэгт SPF товчийг дараад хялбархан тохируулж болно. Бусад ДНС сервисийн тохиргоон дээрээ ѳѳрѳѳ судлаад шууд текст бичвэр нэмж ѳгнѳ. | ||
| − | |||
| − | |||
| − | |||
| − | + | == Postfix main.cf == | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | Postfix main.cf | ||
Let's add/change something to /etc/postfix/main.cf | Let's add/change something to /etc/postfix/main.cf | ||
| − | Helo restrictions: | + | '''Helo restrictions:''' |
| + | <pre> | ||
smtpd_helo_required = yes | smtpd_helo_required = yes | ||
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname | smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname | ||
| + | </pre> | ||
Helo restrinctions in action: | Helo restrinctions in action: | ||
| + | <pre> | ||
Jan 12 01:57:08 server postfix/smtpd[4687]: NOQUEUE: reject: RCPT from unknown[186.43.77.153]: 450 4.7.1 Client host rejected: cannot find your hostname, [186.43.77.153]; from= | Jan 12 01:57:08 server postfix/smtpd[4687]: NOQUEUE: reject: RCPT from unknown[186.43.77.153]: 450 4.7.1 Client host rejected: cannot find your hostname, [186.43.77.153]; from= | ||
<pamela_nathan@ixxxxxs.com.au> to=<boricua@domain.com> proto=ESMTP helo=<[186.43.77.153]> | <pamela_nathan@ixxxxxs.com.au> to=<boricua@domain.com> proto=ESMTP helo=<[186.43.77.153]> | ||
Jan 8 00:32:22 server postfix/smtpd[17504]: NOQUEUE: reject: RCPT from 201-93-87-2.dial-up.telesp.net.br[201.93.87.2]: 504 5.5.2 <lan-32204df3031>: Helo command rejected: need fully-qualified hostname; from=<nils-allan.lindgren@dexxxxxe.ca> to=<boricua@domain.com> proto=ESMTP helo=<lan-32204df3031> | Jan 8 00:32:22 server postfix/smtpd[17504]: NOQUEUE: reject: RCPT from 201-93-87-2.dial-up.telesp.net.br[201.93.87.2]: 504 5.5.2 <lan-32204df3031>: Helo command rejected: need fully-qualified hostname; from=<nils-allan.lindgren@dexxxxxe.ca> to=<boricua@domain.com> proto=ESMTP helo=<lan-32204df3031> | ||
| + | </pre> | ||
| − | Strict rfc: | + | '''Strict rfc:''' |
| + | <pre> | ||
strict_rfc821_envelopes = yes | strict_rfc821_envelopes = yes | ||
| + | </pre> | ||
| − | Clients restrictions: | + | '''Clients restrictions:''' |
| + | <pre> | ||
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_client_hostname, check_client_access mysql:/etc/postfix/mysql-virtual_client.cf | smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_client_hostname, check_client_access mysql:/etc/postfix/mysql-virtual_client.cf | ||
| + | </pre> | ||
| − | Recipient restrictions: | + | '''Recipient restrictions:''' |
| + | <pre> | ||
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unknown_recipient_domain | smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unknown_recipient_domain | ||
| + | </pre> | ||
or | or | ||
| + | <pre> | ||
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client zen.spamhaus.org, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf | smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client zen.spamhaus.org, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf | ||
| + | </pre> | ||
| − | Data restrictions: | + | '''Data restrictions:''' |
| + | <pre> | ||
smtpd_data_restrictions = reject_unauth_pipelining | smtpd_data_restrictions = reject_unauth_pipelining | ||
| + | </pre> | ||
| − | Smtpd delay: | + | '''Smtpd delay:''' |
| + | <pre> | ||
smtpd_delay_reject = yes | smtpd_delay_reject = yes | ||
| + | </pre> | ||
| − | Don’t forget reload postfix: | + | '''Don’t forget reload postfix:''' |
| + | <pre> | ||
/etc/init.d/postfix reload | /etc/init.d/postfix reload | ||
| + | </pre> | ||
| + | |||
| − | + | == Postfix-ийн SPF шалгалт тохируулах (Debian And Ubuntu) == | |
| − | SPF | + | |
| + | Серверийнхээ хэрэглэгчдийг хамгаалахын тулд SPF шалгадаг болгож тохируулж ѳгѳх хэрэгтэй. | ||
| − | Intstall spf package: | + | '''Intstall spf package:''' |
| + | <pre> | ||
apt-get install postfix-policyd-spf-python | apt-get install postfix-policyd-spf-python | ||
| + | </pre> | ||
| − | + | эсвэл арай хуучирсан | |
| + | <pre> | ||
apt-get install postfix-policyd-spf-perl | apt-get install postfix-policyd-spf-perl | ||
| + | </pre> | ||
| − | + | ''' /etc/postfix/main.cf рүү доорхыг нэмж ѳгнѳ:''' | |
| + | <pre> | ||
policy-spf_time_limit = 3600s | policy-spf_time_limit = 3600s | ||
| + | </pre> | ||
and add check_policy_service unix:private/policy-spf at the end of smtpd_recipient_restrictions: | and add check_policy_service unix:private/policy-spf at the end of smtpd_recipient_restrictions: | ||
| + | <pre> | ||
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination, reject_unknown_recipient_domain, check_policy_service unix:private/policy-spf | smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination, reject_unknown_recipient_domain, check_policy_service unix:private/policy-spf | ||
| + | </pre> | ||
Now edit master.cf and add at the end this (for the python version): | Now edit master.cf and add at the end this (for the python version): | ||
| + | <pre> | ||
policy-spf unix - n n - - spawn | policy-spf unix - n n - - spawn | ||
user=nobody argv=/usr/bin/policyd-spf | user=nobody argv=/usr/bin/policyd-spf | ||
| + | </pre> | ||
| − | + | эсвэл perl хувилбар ашиглах бол: | |
| + | <pre> | ||
policy-spf unix - n n - - spawn | policy-spf unix - n n - - spawn | ||
user=nobody argv=/usr/sbin/postfix-policyd-spf-perl | user=nobody argv=/usr/sbin/postfix-policyd-spf-perl | ||
| + | </pre> | ||
…reload postfix. | …reload postfix. | ||
| + | <pre> | ||
/etc/init.d/postfix reload | /etc/init.d/postfix reload | ||
| + | </pre> | ||
Spf check in action: | Spf check in action: | ||
| + | <pre> | ||
Jan 4 15:50:11 server postfix/smtpd[19096]: NOQUEUE: reject: RCPT from g230068165.adsl.alicedsl.de[92.230.68.165]: 550 5.7.1 <william@domain.org>: Recipient address rejected: Message rejected due to: SPF fail - not authorized. Please see http://www.openspf.org/Why?s=helo;id=paxxxxxn.com;ip=92.230.68.165;r=william@domain.com; from=<opaquenesszv91@paxxxxxn.com> to=<william@domain.com> proto=ESMTP helo= | Jan 4 15:50:11 server postfix/smtpd[19096]: NOQUEUE: reject: RCPT from g230068165.adsl.alicedsl.de[92.230.68.165]: 550 5.7.1 <william@domain.org>: Recipient address rejected: Message rejected due to: SPF fail - not authorized. Please see http://www.openspf.org/Why?s=helo;id=paxxxxxn.com;ip=92.230.68.165;r=william@domain.com; from=<opaquenesszv91@paxxxxxn.com> to=<william@domain.com> proto=ESMTP helo= | ||
<paxxxxxn.com> | <paxxxxxn.com> | ||
| + | </pre> | ||
| + | |||
| + | |||
| + | == Greylist == | ||
| − | |||
| − | |||
Greylisting is a method of defending email users against spam. A mail transfer agent (MTA) using greylisting will "temporarily reject" any email from a sender it does not recognize. If the mail is legitimate the originating server will, after a delay, try again and, if sufficient time has elapsed, the email will be accepted. | Greylisting is a method of defending email users against spam. A mail transfer agent (MTA) using greylisting will "temporarily reject" any email from a sender it does not recognize. If the mail is legitimate the originating server will, after a delay, try again and, if sufficient time has elapsed, the email will be accepted. | ||
| − | Installing postgrey (Debian, Ubuntu): | + | '''Installing postgrey (Debian, Ubuntu):''' |
| + | <pre> | ||
apt-get install postgrey | apt-get install postgrey | ||
| + | </pre> | ||
The configuration options are in /etc/default/postgrey ( default delay is 5 min). | The configuration options are in /etc/default/postgrey ( default delay is 5 min). | ||
| 138-р мөр: | 156-р мөр: | ||
Edit main.cf and add check_policy_service inet:127.0.0.1:10023 to the end of smtpd_recipient_restrictions: | Edit main.cf and add check_policy_service inet:127.0.0.1:10023 to the end of smtpd_recipient_restrictions: | ||
| + | <pre> | ||
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination, reject_unknown_recipient_domain, check_policy_service unix:private/policy-spf,check_policy_service inet:127.0.0.1:10023 | smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination, reject_unknown_recipient_domain, check_policy_service unix:private/policy-spf,check_policy_service inet:127.0.0.1:10023 | ||
| + | </pre> | ||
…reload postfix: | …reload postfix: | ||
| + | <pre> | ||
/etc/init.d/postfix reload | /etc/init.d/postfix reload | ||
| + | </pre> | ||
Greylist in action: | Greylist in action: | ||
| 149-р мөр: | 171-р мөр: | ||
| − | DNSBL (DNS Based Blacklist/Blocklist) | + | |
| + | == DNSBL (DNS Based Blacklist/Blocklist) == | ||
| + | |||
A DNSBL is a list of ip addresses published through the Internet Domain Name Service (DNS) either as a zone file that can be used by DNS server software, or as a live DNS zone that can be queried in real-time. DNSBLs are most often used to publish the addresses of computers or networks linked to spamming; most mail server software can be configured to reject or flag messages which have been sent from a site listed on one or more such lists. These may include listing the addresses of zombie computers or other machines being used to send spam, listing the addresses of ISPs who willingly host spammers, or listing addresses which have sent spam to a honeypot system. To use dnsbl with postix we use reject_rbl_client. Just add some live dns zone for queries into the main.cf file. | A DNSBL is a list of ip addresses published through the Internet Domain Name Service (DNS) either as a zone file that can be used by DNS server software, or as a live DNS zone that can be queried in real-time. DNSBLs are most often used to publish the addresses of computers or networks linked to spamming; most mail server software can be configured to reject or flag messages which have been sent from a site listed on one or more such lists. These may include listing the addresses of zombie computers or other machines being used to send spam, listing the addresses of ISPs who willingly host spammers, or listing addresses which have sent spam to a honeypot system. To use dnsbl with postix we use reject_rbl_client. Just add some live dns zone for queries into the main.cf file. | ||
| 155-р мөр: | 179-р мөр: | ||
In my example I will use two lists with very good reputation (added to the end of smtpd_client_restrictions): | In my example I will use two lists with very good reputation (added to the end of smtpd_client_restrictions): | ||
| + | <pre> | ||
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_client_hostname, check_client_access mysql:/etc/postfix/mysql-virtual_client.cf, reject_rbl_client cbl.abuseat.org, reject_rbl_client b.barracudacentral.org | smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_client_hostname, check_client_access mysql:/etc/postfix/mysql-virtual_client.cf, reject_rbl_client cbl.abuseat.org, reject_rbl_client b.barracudacentral.org | ||
| + | </pre> | ||
rbl in action: | rbl in action: | ||
| + | <pre> | ||
Jan 12 01:52:42 server postfix/smtpd[4616]: NOQUEUE: reject: RCPT from 89.pool85-49-26.dynamic.orange.es[85.49.26.89]: 554 5.7.1 Service unavailable; Client host [85.49.26.89] blocked using cbl.abuseat.org; Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=85.49.26.89; from=<dresschirp@fxxxxx.com> to=<william@domain.com> proto=SMTP helo=<colossus.home> | Jan 12 01:52:42 server postfix/smtpd[4616]: NOQUEUE: reject: RCPT from 89.pool85-49-26.dynamic.orange.es[85.49.26.89]: 554 5.7.1 Service unavailable; Client host [85.49.26.89] blocked using cbl.abuseat.org; Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=85.49.26.89; from=<dresschirp@fxxxxx.com> to=<william@domain.com> proto=SMTP helo=<colossus.home> | ||
Jan 11 20:13:58 server postfix/smtpd[29591]: NOQUEUE: reject: RCPT from 93-87-122-56.dynamic.isp.telekom.rs[93.87.122.56]: 554 5.7.1 Service unavailable; Client host [93.87.122.56] blocked using b.barracudacentral.org; http://www.barracudanetworks.com/reputation/?pr=1&ip=93.87.122.56; from= | Jan 11 20:13:58 server postfix/smtpd[29591]: NOQUEUE: reject: RCPT from 93-87-122-56.dynamic.isp.telekom.rs[93.87.122.56]: 554 5.7.1 Service unavailable; Client host [93.87.122.56] blocked using b.barracudacentral.org; http://www.barracudanetworks.com/reputation/?pr=1&ip=93.87.122.56; from= | ||
<trundlesd@ukxxxxx.edu> to=<infoo@domain.com> proto=ESMTP helo= | <trundlesd@ukxxxxx.edu> to=<infoo@domain.com> proto=ESMTP helo= | ||
| + | </pre> | ||
| − | Postscreen | + | |
| + | == Postscreen == | ||
Note: This feature is available in Postfix 2.8 and up | Note: This feature is available in Postfix 2.8 and up | ||
| 175-р мөр: | 204-р мөр: | ||
First, we add a line to main.cf with the command: | First, we add a line to main.cf with the command: | ||
| + | <pre> | ||
postscreen_greet_action = enforce | postscreen_greet_action = enforce | ||
| + | </pre> | ||
Second we add postscreen and some new services to master.cf Note: These settings can already exists, just uncomment. Also be sure that the line "smtp inet ... smtpd", including any parameter is commented out (if any, parameters must be moved to the new smtpd service). | Second we add postscreen and some new services to master.cf Note: These settings can already exists, just uncomment. Also be sure that the line "smtp inet ... smtpd", including any parameter is commented out (if any, parameters must be moved to the new smtpd service). | ||
| + | <pre> | ||
# Postfix master process configuration file. For details on the format | # Postfix master process configuration file. For details on the format | ||
# of the file, see the master(5) manual page (command: "man 5 master"). | # of the file, see the master(5) manual page (command: "man 5 master"). | ||
| 195-р мөр: | 227-р мөр: | ||
tlsproxy unix - - n - 0 tlsproxy | tlsproxy unix - - n - 0 tlsproxy | ||
dnsblog unix - - n - 0 dnsblog | dnsblog unix - - n - 0 dnsblog | ||
| + | </pre> | ||
Now, we reload postfix: | Now, we reload postfix: | ||
| + | <pre> | ||
/etc/init.d/postfix reload | /etc/init.d/postfix reload | ||
| − | + | </pre> | |
10:08, 3 Хоёрдугаар сар 2019-ий байдлаарх одоогийн засвар
Гарчиг
Reverse DNS, (DNS PTR Record)
Удирдлагын самбартай бол самбараас, үгүй бол холбогдоод тохиргоогоо хийлгэнэ. Доорх байдлаар шалгаж болно.
root@server / # host 124.158.124.36 59.124.158.124.in-addr.arpa domain name pointer server6.dusal.net.
Тохиргоо хийсний дараа хугацаа шаардлагатай.
Домэйн нэрийн SPF тохиргоо (DNS TXT Record)
SPF бол тухайн домэйн нэрийн эзэмшигч нь DNS тохиргоогоороо тухайн домэйнээс мэйл илгээх боломжтой серверүүдийн тохиргоог зааж ѳгдѳг.
ISPConfig 3 дээр DNS хэсэгт SPF товчийг дараад хялбархан тохируулж болно. Бусад ДНС сервисийн тохиргоон дээрээ ѳѳрѳѳ судлаад шууд текст бичвэр нэмж ѳгнѳ.
Postfix main.cf
Let's add/change something to /etc/postfix/main.cf
Helo restrictions:
smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname
Helo restrinctions in action:
Jan 12 01:57:08 server postfix/smtpd[4687]: NOQUEUE: reject: RCPT from unknown[186.43.77.153]: 450 4.7.1 Client host rejected: cannot find your hostname, [186.43.77.153]; from= <pamela_nathan@ixxxxxs.com.au> to=<boricua@domain.com> proto=ESMTP helo=<[186.43.77.153]> Jan 8 00:32:22 server postfix/smtpd[17504]: NOQUEUE: reject: RCPT from 201-93-87-2.dial-up.telesp.net.br[201.93.87.2]: 504 5.5.2 <lan-32204df3031>: Helo command rejected: need fully-qualified hostname; from=<nils-allan.lindgren@dexxxxxe.ca> to=<boricua@domain.com> proto=ESMTP helo=<lan-32204df3031>
Strict rfc:
strict_rfc821_envelopes = yes
Clients restrictions:
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_client_hostname, check_client_access mysql:/etc/postfix/mysql-virtual_client.cf
Recipient restrictions:
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unknown_recipient_domain
or
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client zen.spamhaus.org, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf
Data restrictions:
smtpd_data_restrictions = reject_unauth_pipelining
Smtpd delay:
smtpd_delay_reject = yes
Don’t forget reload postfix:
/etc/init.d/postfix reload
Postfix-ийн SPF шалгалт тохируулах (Debian And Ubuntu)
Серверийнхээ хэрэглэгчдийг хамгаалахын тулд SPF шалгадаг болгож тохируулж ѳгѳх хэрэгтэй.
Intstall spf package:
apt-get install postfix-policyd-spf-python
эсвэл арай хуучирсан
apt-get install postfix-policyd-spf-perl
/etc/postfix/main.cf рүү доорхыг нэмж ѳгнѳ:
policy-spf_time_limit = 3600s
and add check_policy_service unix:private/policy-spf at the end of smtpd_recipient_restrictions:
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination, reject_unknown_recipient_domain, check_policy_service unix:private/policy-spf
Now edit master.cf and add at the end this (for the python version):
policy-spf unix - n n - - spawn
user=nobody argv=/usr/bin/policyd-spf
эсвэл perl хувилбар ашиглах бол:
policy-spf unix - n n - - spawn
user=nobody argv=/usr/sbin/postfix-policyd-spf-perl
…reload postfix.
/etc/init.d/postfix reload
Spf check in action:
Jan 4 15:50:11 server postfix/smtpd[19096]: NOQUEUE: reject: RCPT from g230068165.adsl.alicedsl.de[92.230.68.165]: 550 5.7.1 <william@domain.org>: Recipient address rejected: Message rejected due to: SPF fail - not authorized. Please see http://www.openspf.org/Why?s=helo;id=paxxxxxn.com;ip=92.230.68.165;r=william@domain.com; from=<opaquenesszv91@paxxxxxn.com> to=<william@domain.com> proto=ESMTP helo= <paxxxxxn.com>
Greylist
Greylisting is a method of defending email users against spam. A mail transfer agent (MTA) using greylisting will "temporarily reject" any email from a sender it does not recognize. If the mail is legitimate the originating server will, after a delay, try again and, if sufficient time has elapsed, the email will be accepted.
Installing postgrey (Debian, Ubuntu):
apt-get install postgrey
The configuration options are in /etc/default/postgrey ( default delay is 5 min).
Edit main.cf and add check_policy_service inet:127.0.0.1:10023 to the end of smtpd_recipient_restrictions:
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination, reject_unknown_recipient_domain, check_policy_service unix:private/policy-spf,check_policy_service inet:127.0.0.1:10023
…reload postfix:
/etc/init.d/postfix reload
Greylist in action:
Jan 10 17:38:57 server postfix/smtpd[21302]: NOQUEUE: reject: RCPT from mailout-de.gmx.net[213.165.64.22]: 451 4.7.1 <admin@domain.com>: Recipient address rejected: Greylisting in effect, please come back later; from=<joe@gmx.net> to=<admin@domain.com> proto=SMTP helo=<mailout-de.gmx.net>
DNSBL (DNS Based Blacklist/Blocklist)
A DNSBL is a list of ip addresses published through the Internet Domain Name Service (DNS) either as a zone file that can be used by DNS server software, or as a live DNS zone that can be queried in real-time. DNSBLs are most often used to publish the addresses of computers or networks linked to spamming; most mail server software can be configured to reject or flag messages which have been sent from a site listed on one or more such lists. These may include listing the addresses of zombie computers or other machines being used to send spam, listing the addresses of ISPs who willingly host spammers, or listing addresses which have sent spam to a honeypot system. To use dnsbl with postix we use reject_rbl_client. Just add some live dns zone for queries into the main.cf file.
In my example I will use two lists with very good reputation (added to the end of smtpd_client_restrictions):
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_client_hostname, check_client_access mysql:/etc/postfix/mysql-virtual_client.cf, reject_rbl_client cbl.abuseat.org, reject_rbl_client b.barracudacentral.org
rbl in action:
Jan 12 01:52:42 server postfix/smtpd[4616]: NOQUEUE: reject: RCPT from 89.pool85-49-26.dynamic.orange.es[85.49.26.89]: 554 5.7.1 Service unavailable; Client host [85.49.26.89] blocked using cbl.abuseat.org; Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=85.49.26.89; from=<dresschirp@fxxxxx.com> to=<william@domain.com> proto=SMTP helo=<colossus.home> Jan 11 20:13:58 server postfix/smtpd[29591]: NOQUEUE: reject: RCPT from 93-87-122-56.dynamic.isp.telekom.rs[93.87.122.56]: 554 5.7.1 Service unavailable; Client host [93.87.122.56] blocked using b.barracudacentral.org; http://www.barracudanetworks.com/reputation/?pr=1&ip=93.87.122.56; from= <trundlesd@ukxxxxx.edu> to=<infoo@domain.com> proto=ESMTP helo=
Postscreen
Note: This feature is available in Postfix 2.8 and up
The Postfix postscreen daemon provides additional protection against mail server overload. One postscreen process handles multiple inbound SMTP connections, and decides which clients may talk to a Postfix SMTP server process. By keeping spambots away, postscreen leaves more SMTP server processes available for legitimate clients, and delays the onset of server overload conditions.
The main challenge for postscreen is to make an is-it-a-zombie decision based on a single measurement. This is necessary because many zombies try to fly under the radar and avoid spamming the same site repeatedly. Once postscreen decides that a client is not-a-zombie, it whitelists the client temporarily to avoid further delays for legitimate mail.
We will use for this tutorial the default settings with an exception. These settings are fine for the most situations
First, we add a line to main.cf with the command:
postscreen_greet_action = enforce
Second we add postscreen and some new services to master.cf Note: These settings can already exists, just uncomment. Also be sure that the line "smtp inet ... smtpd", including any parameter is commented out (if any, parameters must be moved to the new smtpd service).
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
#smtp inet n - - - - smtpd
# -o ...
smtpd pass - - n - - smtpd
-o ... # Parameters moved from smtp service to the new smtpd service.(if any)
smtp inet n - n - 1 postscreen
tlsproxy unix - - n - 0 tlsproxy
dnsblog unix - - n - 0 dnsblog
Now, we reload postfix:
/etc/init.d/postfix reload
Source:
