Postfix and antispamming

[Sweeny]

Hi there,

I have some improvments for the main.cf in ispcp to prevent faking of email adresses which do not belong to the customers:

Code:

smtpd_helo_required = yes

smtpd_sender_login_maps = hash:/etc/postfix/ispcp/aliases

smtpd_helo_restrictions =
  reject_invalid_hostname

smtpd_sender_restrictions =
  reject_sender_login_mismatch

I think this could be very useful also as rejecting helos which are not rfc conform.

And I think adding policy-weightd to ispcp could be a very nice thing. It prevents spam _BEFORE_ queueing <=> spamassasin. Have a look at:
http://www.policyd-weight.org/howto.html
It is very easy to setup and it has a good performance and prevents much spam.

Greetings
Sweeny

[rbtux]

the server in default ispcp configuration should not been used to recieve mails... there should be added some restrictions.

I post here a sample config how postfix can been secured:

Quote:smtpd_recipient_restrictions = check_client_access hash:/etc/postfix/access_client.hash,
check_helo_access hash:/etc/postfix/access_helo.hash,
check_sender_access hash:/etc/postfix/access_sender.hash,
check_recipient_access hash:/etc/postfix/access_recipient.hash,
check_sender_mx_access cidr:/etc/postfix/access_sender_mx_bogus.cidr,
reject_invalid_hostname,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
check_recipient_access hash:/etc/postfix/rfc_addresses.hash,
reject_unlisted_recipient,
...policyd-weight...,
...greylisting...

smtpd_data_restrictions = reject_multi_recipient_bounce,
reject_unauth_pipelining

/etc/postfix/access_client.hash:
Black/whitelisting of client hosts/ips

/etc/postfix/access_helo.hash:
Black/whitelisting of client helos

/etc/postfix/access_sender.hash:
Black/whitelisting of sender mail address

/etc/postfix/access_recipient.hash:
Black/whitelisting of recipient mail address

/etc/postfix/access_sender_mx_bogus.cidr
Black/whitelisting of bogus mx servers

/etc/postfix/rfc_addresses.hash
Whitelisting of abuse and postmaster addresses

[BeNe]

This looks good!
Maybe we can bring this to the end with some examples and put it in the Wiki and later in ispCP 1.x.x

Greez BeNe

[raphael]

We should better include those changes by default; please open a ticket and assign it to me

[BeNe]

Yeah would make more sense
Ticket is open --> http://www.isp-control.net/ispcp/ticket/825

Greez BeNe

[BeNe]

I implemented policyd-weight now in my postfix config and i get no more spam in my inbox
Ok 2-5 Mails a day but this is not the big thing...works damn good.

Greez BeNe

[Sweeny]

Yes I have the same experience with policy-weight Before Policy-weight I get 600 spammails a day now only 2 or 5. That's the reason why it should be in ISPCP by default or as an option at install like awstats.

Greetings
Sweeny

[platzwart]

Sw1fty Wrote:[...] That's the reason why it should be in ISPCP by default or as an option at install like awstats.

absolutely!!!

[raphael]

how exactly does policyd-weight work?

[BeNe]

Source --> http://www.policyd-weight.org/

Quote:policyd-weight is a Perl policy daemon for the Postfix MTA (2.1 and later) intended to eliminate forged envelope senders and HELOs (i.e. in bogus mails). It allows you to score DNSBLs (RBL/RHSBL), HELO, MAIL FROM and client IP addresses before any queuing is done. It allows you to REJECT messages which have a score higher than allowed, providing improved blocking of spam and virus mails. policyd-weight caches the most frequent client/sender combinations (SPAM as well as HAM) to reduce the number of DNS queries.

After the first three SMTP commands (HELO, MAIL FROM: and RCPT TO the client's IP address, corresponding DNS records (A, MX and PTR) and multiple DNSBLs can be checked, verified and scored. If the client tries to forge headers or supplies non-existent DNS or bogus data the spam score will increase, even more so if the client is listed in one or more DNSBLs. Such mails can be rejected while in transfer, before the mail body is received by your MTA. This is different from SpamAssassin or amavisd-new: for scoring or filtering with these programs, mail needs to be accepted and queued, bandwidth is used, CPU-time is wasted and mail cannot be rejected without creating a bounce. Please have a look at the graphical working scheme.

Postfix' built-in checks can be too tough for poorly configured clients: one hit, and the mail gets rejected. policyd-weight is designed to be fair (DynDNS MX users get through if their MTA is setup properly, even if their ISP net is DUL-listed), because its decision whether to reject or accept a mail is based on multiple factors.

Of course you should still have SpamAssassin and Clamav running (especially if you are responsible for a company's security and data). But these programs will have a lot less to do and thus decrease the need for bandwidth and CPU cycles. Also you might not need greylisting (which would make sense for users that receive a lot of new spam, though), SPF, extraordinary whitelists or SQL and other DBs anymore

Greez BeNe