Mail server configuring. Part 2. Additional rules for mail filtering. DNSBL
- Details
- Category: Mail Server
- Published: Friday, 29 March 2019 10:48
- Written by Super User
- Hits: 3554
It is the second article from the "Mail Server Settings" cycle.
Additional rules for mail filtering.
To reduce the amount of spam, add some more filtering rules
At the end of the block smtpd_helo_restrictions we will add
check_helo_access hash:/etc/postfix/helo.list
And in the smtpd_recipient_restrictions block after the permit_sasl_authenticated rule insert
check_sender_access hash:/etc/postfix/ext_sender,
Create a file /etc/postfix/helo.list
#touch /etc/postfix/helo.list
We will open it for editing and write in it the string:
mail.study.local 550 Don't use my hostname
And create an indexed map from it:
#postmap /etc/postfix/helo.list
Create a file /etc/postfix/ext_sender
#touch /etc/postfix/ext_sender
We will open it for editing and write in it the string:
study.local 550 Do not use my domain in your envelope sender
And create an indexed map from it:
#postmap /etc/postfix/ext_sender
The check_helo_access rule checks what the sending server sends in the HELO command. If it appears under our own name (the mail.study.local string in the /etc/postfix/helo.list file), the connection will be terminated. In a normal situation, no server can represented by our name, so it's likely to be a spam server.
The check_sender_access rule checks the sender address of the message. In the case where the sender is from our own domain (study.local line in the file /etc/postfix/ext_sender), the letter will be denied. A letter with such sender can not come from any sender from the outside. Such letter can be sent only from user on our server. And then the connection will be protected by a login and password and in this case the letter will be accepted according to permit_sasl_authenticated rule, which stands before denied rules.
We also need to add another check:
reject_unknown_client
This rule block mesaage receipt in case of wrong DNS configuration— missing or wrong domain name (A-record in DNS) or missing or incorrect reverse zone (PTR-record in DNS). You must insert this rule in smtpd_helo_restrictions block right after permit_sasl_authenticated rule.
Using blacklists of spammers — DNSBL
DNSBL — DNS blacklist or DNS blocklist — hosts lists based on the DNS architecture. Usually used to protect against spam. The mail server accesses DNSBL and checks the IP address of the clients from which it receives the message. In the case of a positive response, it is assumed that a spam message is received. The server reports error 5xx (fatal error) and the message is not accepted. A "refusal" message is sent to the sender's mail server about non-delivery of the email.
To use blacklists of servers, you must add the following lines at the end of the smtpd_helo_restrictions rule block:
reject_rbl_client sbl.spamhaus.org
Where sbl.spamhaus.org is the DNSBL service address
You can find a lot of such lists in the Internet, but the following are most commonly used:
sbl.spamhaus.org
cbl.abuseat.org
dnsbl.sorbs.net
You should be very careful when using DNSBL. Free services can stop at any time, insert normal servers in the blacklist or create other troubles. That’s why they should be used very carefully.
You can buy the book "Mail server based on Postfix, Dovecot and RoundCube" in electronic form in the store