Differences
This shows you the differences between two versions of the page.
tech:linux:postfix_spam_control [2014/11/15 09:13] |
tech:linux:postfix_spam_control [2014/11/15 09:13] (current) |
||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== Resources to control spam using postfix ====== | ||
+ | * [[http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt|Text file of postfix configuration to reduce spam]] | ||
+ | * [[http://en.linuxreviews.org/HOWTO_Stop_spam_using_Postfix]] | ||
+ | * [[http://www.howtoforge.com/block_spam_at_mta_level_postfix]] | ||
+ | * [[http://www.akadia.com/services/postfix_uce.html]] | ||
+ | * [[http://forum.parallels.com/showthread.php?t=87605|Postfix configuration: reject_rbl_client]] | ||
+ | * [[http://www.yolinux.com/TUTORIALS/Postfix.html]] | ||
+ | * [[http://www.postfix.org/postconf.5.html|Postfix Configuration Parameters]] | ||
+ | * [[http://wiki.centos.org/HowTos/postfix_restrictions|HowTos-postfix restrictions - CentOS Wiki]] | ||
+ | * [[http://slammingspam.uw.hu/|Slamming Spam: A Guide for System Administrators]] | ||
+ | ====== main.cf settings ====== | ||
+ | <code> | ||
+ | # | ||
+ | unknown_local_recipient_reject_code = 550 | ||
+ | unknown_address_reject_code = 550 | ||
+ | unknown_client_reject_code = 550 | ||
+ | unknown_hostname_reject_code = 550 | ||
+ | unknown_relay_recipient_reject_code = 550 | ||
+ | unknown_virtual_alias_reject_code = 550 | ||
+ | unknown_virtual_mailbox_reject_code = 550 | ||
+ | unverified_recipient_reject_code = 550 | ||
+ | unverified_sender_reject_code = 550 | ||
+ | # | ||
+ | default_process_limit = 20 | ||
+ | smtpd_client_connection_count_limit = 10 | ||
+ | smtpd_client_connection_rate_limit = 60 # This should translate to 1 per second limit | ||
+ | smtpd_client_message_rate_limit = 60 | ||
+ | smtpd_client_new_tls_session_rate_limit = 60 | ||
+ | # | ||
+ | smtpd_helo_required = yes | ||
+ | address_verify_map = btree:${data_directory}/verify_cache | ||
+ | smtpd_reject_unlisted_sender=yes | ||
+ | smtpd_recipient_restrictions = | ||
+ | check_client_access hash:/etc/postfix/white_lists, | ||
+ | reject_invalid_hostname, | ||
+ | reject_non_fqdn_hostname, | ||
+ | reject_non_fqdn_sender, | ||
+ | reject_non_fqdn_recipient, | ||
+ | reject_unknown_sender_domain, | ||
+ | reject_unknown_recipient_domain, | ||
+ | reject_unknown_client_hostname, | ||
+ | reject_unverified_sender, | ||
+ | permit_mynetworks, | ||
+ | reject_unauth_destination, | ||
+ | reject_rbl_client cbl.abuseat.org, | ||
+ | reject_rbl_client sbl.spamhaus.org, | ||
+ | reject_rbl_client pbl.spamhaus.org | ||
+ | permit | ||
+ | smtpd_data_restrictions = | ||
+ | reject_unauth_pipelining, | ||
+ | permit | ||
+ | </code> | ||
+ | |||
+ | ====== White list (and black list) settings ====== | ||
+ | * Added check_client_access hash:/etc/postfix/white_lists | ||
+ | * Created file /etc/postfix/white_lists with list of IP and domain names white listed | ||
+ | * Ran postmap /etc/postfix/white_lists | ||
+ | * Restarted postfix: /etc/init.d/postfix restart | ||
+ | |||
+ | ====== PostFix report ====== | ||
+ | [[http://jimsun.linxnet.com/postfix_contrib.html|JIMSUN - Postfix Contribs]] has a tools called __Postfix Log Entry Summarizer__ (pflogsumm) that is a perl script that does a summary report on postfix logs. | ||
+ | |||
+ | A daily cron job as below will work. Make sure to create a directory under /var/log as /var/log/postfixrep | ||
+ | <code bash> | ||
+ | #!/bin/bash | ||
+ | # | ||
+ | # Daily Postfix Log report | ||
+ | # | ||
+ | TS=$(date +%Y%m%d_%H%M%S); | ||
+ | LOGFILE="/var/log/postfixrep/pfrep_$TS" | ||
+ | PFLOGSUMM="/usr/local/bin/pflogsumm" | ||
+ | PFMAILINF="/var/log/mail.info" | ||
+ | REMAIL="root@example.org" | ||
+ | REPSUB="Postfix Report" | ||
+ | # | ||
+ | $PFLOGSUMM $PFMAILINF > $LOGFILE | ||
+ | cat $LOGFILE | mailx -s "$REPSUB" $REMAIL | ||
+ | # | ||
+ | exit 0 | ||
+ | </code> | ||
+ | |||
+ | A quick note is to rotate logs on daily basis so the report is truly a daily summary. |