Spamprotection with Postfix and ISPconfig 3
Improvements in short:
- Reject sender hostnames with invalid syntax
- Reject sender hostnames that are no FQDNs
- Reject sender domains that have no DNS records
- Check sender IP addresses against realtime blacklists.
Comment out 2 lines in main.cf
vi /etc/postfix/main.cf
# smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client zen.spamhaus.org, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf # smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access, reject_invalid_hostname, reject_non_fqdn_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname, check_helo_access regexp:/etc/postfix/blacklist_helo
Replace smtpd_recipient_restrictions and smtpd_helo_restrictions
smtpd_helo_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
check_helo_access regexp:/etc/postfix/helo_access,
check_helo_access regexp:/etc/postfix/blacklist_helo,
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_unauth_destination,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_unauth_pipelining
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
check_policy_service unix:private/policy-spf,
check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf,
check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client dul.dnsbl.sorbs.net,
reject_rbl_client ix.dnsbl.manitu.net,
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unauth_pipelining
Restart Postfix
service postfix restart