Spamprotection with Postfix and ISPconfig 3

Improvements in short:

  • Reject sender hostnames with invalid syntax
  • Reject sender hostnames that are no FQDNs
  • Reject sender domains that have no DNS records
  • Check sender IP addresses against realtime blacklists.

Comment out 2 lines in main.cf

vi /etc/postfix/main.cf
# smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client zen.spamhaus.org, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf
# smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access, reject_invalid_hostname, reject_non_fqdn_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname, check_helo_access regexp:/etc/postfix/blacklist_helo

Replace smtpd_recipient_restrictions and smtpd_helo_restrictions

smtpd_helo_restrictions =
    permit_sasl_authenticated,
    permit_mynetworks,
    check_helo_access regexp:/etc/postfix/helo_access,
    check_helo_access regexp:/etc/postfix/blacklist_helo,
    reject_invalid_hostname,
    reject_non_fqdn_hostname,
    reject_unauth_destination,
    reject_non_fqdn_sender,
    reject_non_fqdn_recipient,
    reject_unknown_recipient_domain,
    reject_unauth_pipelining

smtpd_recipient_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination,
    check_policy_service unix:private/policy-spf,
    check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf,
    check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf,
    reject_rbl_client zen.spamhaus.org,
    reject_rbl_client cbl.abuseat.org,
    reject_rbl_client dul.dnsbl.sorbs.net,
    reject_rbl_client ix.dnsbl.manitu.net,
    reject_invalid_hostname,
    reject_non_fqdn_hostname,
    reject_non_fqdn_sender,
    reject_non_fqdn_recipient,
    reject_unknown_sender_domain,
    reject_unknown_recipient_domain,
    reject_unauth_pipelining

Restart Postfix

service postfix restart

See also