Tech: Postfix and Spam filtering

NOTE: Alright, so we’re going to take a swing away from our regularly scheduled Jade updates and getting into some tech stuff. For those who might not know, I’m a computer technician at Malaspina U-C. I’d like to use this blog to record some of the stuff I’m doing for both my own personal archives, and for the benefit of people on the Internet who I know are looking for answers (because I just spent 2 hours on the internet looking for the answers I have here!).

Anyway, yesterday I updated the departments email server so that it had more robust Spam and attachment filtering. Below you’ll see what changes I made to Postfix, SpamAssassin, and Anomy to make everything work.

We’re running Mandrake 9.2, not really what you’d expect, but it’s been rock solid. No complaints at all.

That said my users were complaining about some spam they were getting on their accounts. So I’ve reinforced our filtering by updating and reconfiguring our SpamAssassin and Anomy mail filters.

We have Postfix 2.0.13 running and delivering to Cyrus to serve IMAP.

Anyway, I got most of the information I needed from this website:
http://advosys.ca/papers/postfix-filtering.html

But it didn’t quite have everything I needed.

Specifically, I wanted to make sure my email server would drop any suspiscious connection. So here’s the pertinent lines in my main.cf file:

#Enable Authenticated SMTP support
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
## Once we get an SSL cert we can force SSL authentication with this command
#smtpd_tls_auth_only = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_use_tls = yes
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/server.pem
smtpd_tls_cert_file = /etc/postfix/ssl/server.pem
smtpd_tls_CAfile = /etc/postfix/ssl/server.pem

smtpd_helo_required = yes
mydestination = $mynetworks, $myhostname, localhost.$mydomain, $mydomain, mysql:/etc/postfix/mysql-mydestination.cf
mime_header_checks = pcre:/etc/postfix/body_checks
message_size_limit = 20000000
smtpd_recipient_limit = 200
disable_vrfy_command = yes
default_process_limit = 10
smtpd_error_sleep_time = 30
strict_rfc821_envelopes = yes

#Client (IP) Restrictions
smtpd_client_restrictions = reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client list.dsbl.org, reject_rbl_client relays.ordb.org, reject_rbl_client dnsbl.njabl.org, reject_rbl_client bl.spamcop.net, reject_rbl_client dnsbl.ahbl.org, reject_rbl_client opm.blitzed.org, reject_rbl_client dnsbl.sorbs.net, reject_rbl_client relays.visi.com, reject_rbl_client cbl.abuseat.org

#HELO Restrictions (for garbled HELO messages from spammers)
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, reject_non_fqdn_hostname

#SMTP Data restrictions:
smtpd_data_restrictions = reject_unauth_pipelining, permit

#Sender Restrictions (FROM field)
smtpd_sender_restrictions = reject_non_fqdn_sender, reject_unauth_pipelining, permit
smtpd_sender_login_maps = mysql:/etc/postfix/mysql-mydestination.cf, mysql:/etc/postfix/mysql-canonical.cf

#Recipient (Receiving address) Mail Restrictions
smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_client, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_destination, reject_rhsbl_client blackhole.securitysage.com, reject_rhsbl_sender blackhole.securitysage.com, reject_rhsbl_client rhsbl.ahbl.org, reject_rhsbl_sender rhsbl.ahbl.org, reject_rhsbl_client rhsbl.sorbs.net reject_rhsbl_sender rhsbl.sorbs.net, reject_rhsbl_client block.rhs.mailpolice.com, reject_rhsbl_sender block.rhs.mailpolice.com, reject_rhsbl_client dynamic.rhs.mailpolice.com, reject_rhsbl_sender dynamic.rhs.mailpolice.com, reject_rhsbl_client bogusmx.rfc-ignorant.org, reject_rhsbl_sender bogusmx.rfc-ignorant.org, reject_rhsbl_client abuse.rfc-ignorant.org, reject_rhsbl_sender abuse.rfc-ignorant.org, reject_rhsbl_client postmaster.rfc-ignorant.org, reject_rhsbl_sender postmaster.rfc-ignorant.org, reject_rhsbl_client dsn.rfc-ignorant.org, reject_rhsbl_sender dsn.rfc-ignorant.org, check_recipient_access hash:/etc/postfix/filtered_domains

Hopefully that helps a few people out out there.

Here’s the master.cf file. I had to add the bottom line:
filter unix – n n – – pipe
flags=Rq user=filter argv=/usr/local/anomy/filter.sh -f ${sender} — ${recipient}

That’s about it… the rest was verbatim from the Advosys site. Enjoy.

Discover more from Murkyview

Subscribe now to keep reading and get access to the full archive.

Continue reading