Tuning Postfix to Fight SPAM a Little Better…

We are not a big fan of spamassassin, even though a lot of people swear by it. We use an anti-spam appliance hardware to deal with spam and let a third-party — MailFoundry– constantly update the appliance’s rules and tricks to fight spam. However, recently we had a hardware failure and had to return the appliance to get a replacement back. This process took a very long time.

Once the MailFoundry appliance was out of service, we started getting tons of spam and finally had to create a temporary measure to reduce spam without too elaborate system reconfiguration. Here is how we applied a few configuration changes to Postfix and got rid of majority of the spam.

smtpd_helo_required = yes
smtpd_helo_restrictions = permit_sasl_authenticated, \
permit_mynetworks, reject_invalid_hostname, \
check_helo_access hash:/etc/postfix/helo_access, permit
disable_vrfy_command = yes
strict_rfc821_envelopes = yes
smtpd_client_restrictions = permit_sasl_authenticated,permit_mynetworks, \
                            reject_rhsbl_client mydomain.tld, \
                            reject_rbl_client bl.spamcop.net, \
                            reject_rbl_client zen.spamhaus.org, \
                            reject_rbl_client safe.dnsbl.sorbs.net, \
                            reject_rbl_client cbl.abuseat.org, \
                            reject_rbl_client list.dsbl.org
smtpd_sender_restrictions = reject_non_fqdn_sender, reject_unknown_sender_domain
mime_header_checks = regexp:/etc/postfix/mime_header_checks

These settings are pretty straight forward. They basically “discourages”  bad behavior on the other end of the SMTP transaction. Since most bad guys use improper headers, or have been already known as bad guys in real-time black lists, these configuration protects us from most spammers.

So you might be wondering if these settings are so good, why get the MailFoundry back? Well, the above-mentioend Postfix configuration is great but they do slow down the SMTP transactions.  So we prefer to outsourcee the spam processing on the dedicated appliance. Until we get our MailFoundry appliance back in order, we have to fight spam with the above settings and we are not too unhappy about it.

Category: Email, Tuning | Tags: