Current time: 11-26-2024, 11:18 AM Hello There, Guest! (LoginRegister)


Post Reply 
Postfix and antispamming
Author Message
Sweeny Offline
Junior Member
*

Posts: 74
Joined: Oct 2007
Reputation: 1
Post: #1
Postfix and antispamming
Hi there,

I have some improvments for the main.cf in ispcp to prevent faking of email adresses which do not belong to the customers:
Code:
smtpd_helo_required = yes

smtpd_sender_login_maps = hash:/etc/postfix/ispcp/aliases

smtpd_helo_restrictions =
  reject_invalid_hostname

smtpd_sender_restrictions =
  reject_sender_login_mismatch

I think this could be very useful also as rejecting helos which are not rfc conform.

And I think adding policy-weightd to ispcp could be a very nice thing. It prevents spam _BEFORE_ queueing <=> spamassasin. Have a look at:
http://www.policyd-weight.org/howto.html
It is very easy to setup and it has a good performance and prevents much spam.

Greetings
Sweeny
(This post was last modified: 03-22-2008 10:01 PM by Sweeny.)
10-27-2007 05:49 AM
Find all posts by this user Quote this message in a reply
rbtux Offline
Moderator
*****
Moderators

Posts: 1,847
Joined: Feb 2007
Reputation: 33
Post: #2
RE: Postfix and antispamming
the server in default ispcp configuration should not been used to recieve mails... there should be added some restrictions.

I post here a sample config how postfix can been secured:

Quote:smtpd_recipient_restrictions = check_client_access hash:/etc/postfix/access_client.hash,
check_helo_access hash:/etc/postfix/access_helo.hash,
check_sender_access hash:/etc/postfix/access_sender.hash,
check_recipient_access hash:/etc/postfix/access_recipient.hash,
check_sender_mx_access cidr:/etc/postfix/access_sender_mx_bogus.cidr,
reject_invalid_hostname,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
check_recipient_access hash:/etc/postfix/rfc_addresses.hash,
reject_unlisted_recipient,
...policyd-weight...,
...greylisting...

smtpd_data_restrictions = reject_multi_recipient_bounce,
reject_unauth_pipelining

/etc/postfix/access_client.hash:
Black/whitelisting of client hosts/ips

/etc/postfix/access_helo.hash:
Black/whitelisting of client helos

/etc/postfix/access_sender.hash:
Black/whitelisting of sender mail address

/etc/postfix/access_recipient.hash:
Black/whitelisting of recipient mail address

/etc/postfix/access_sender_mx_bogus.cidr
Black/whitelisting of bogus mx servers

/etc/postfix/rfc_addresses.hash
Whitelisting of abuse and postmaster addresses
(This post was last modified: 10-27-2007 06:42 AM by rbtux.)
10-27-2007 06:36 AM
Visit this user's website Find all posts by this user Quote this message in a reply
BeNe Offline
Moderator
*****
Moderators

Posts: 5,899
Joined: Jan 2007
Reputation: 68
Post: #3
RE: Postfix and antispamming
This looks good! Smile
Maybe we can bring this to the end with some examples and put it in the Wiki and later in ispCP 1.x.x

Greez BeNe
10-28-2007 03:28 AM
Visit this user's website Find all posts by this user Quote this message in a reply
raphael Offline
Member
***

Posts: 474
Joined: Apr 2007
Reputation: 8
Post: #4
RE: Postfix and antispamming
We should better include those changes by default; please open a ticket and assign it to me
10-28-2007 09:57 AM
Visit this user's website Find all posts by this user Quote this message in a reply
BeNe Offline
Moderator
*****
Moderators

Posts: 5,899
Joined: Jan 2007
Reputation: 68
Post: #5
RE: Postfix and antispamming
Yeah would make more sense Smile
Ticket is open --> http://www.isp-control.net/ispcp/ticket/825

Greez BeNe
10-28-2007 07:21 PM
Visit this user's website Find all posts by this user Quote this message in a reply
BeNe Offline
Moderator
*****
Moderators

Posts: 5,899
Joined: Jan 2007
Reputation: 68
Post: #6
RE: Postfix and antispamming
I implemented policyd-weight now in my postfix config and i get no more spam in my inbox Wink
Ok 2-5 Mails a day but this is not the big thing...works damn good.

Greez BeNe
11-01-2007 07:52 AM
Visit this user's website Find all posts by this user Quote this message in a reply
Sweeny Offline
Junior Member
*

Posts: 74
Joined: Oct 2007
Reputation: 1
Post: #7
RE: Postfix and antispamming
Yes I have the same experience with policy-weight Wink Before Policy-weight I get 600 spammails a day now only 2 or 5. That's the reason why it should be in ISPCP by default or as an option at install like awstats.

Greetings
Sweeny
(This post was last modified: 03-22-2008 10:01 PM by Sweeny.)
11-01-2007 07:56 AM
Find all posts by this user Quote this message in a reply
platzwart Offline
Junior Member
*

Posts: 100
Joined: Mar 2007
Reputation: 1
Post: #8
RE: Postfix and antispamming
Sw1fty Wrote:[...] That's the reason why it should be in ISPCP by default or as an option at install like awstats.

absolutely!!!
11-01-2007 09:24 AM
Find all posts by this user Quote this message in a reply
raphael Offline
Member
***

Posts: 474
Joined: Apr 2007
Reputation: 8
Post: #9
RE: Postfix and antispamming
how exactly does policyd-weight work?
11-02-2007 05:51 AM
Visit this user's website Find all posts by this user Quote this message in a reply
BeNe Offline
Moderator
*****
Moderators

Posts: 5,899
Joined: Jan 2007
Reputation: 68
Post: #10
RE: Postfix and antispamming
Source --> http://www.policyd-weight.org/

Quote:policyd-weight is a Perl policy daemon for the Postfix MTA (2.1 and later) intended to eliminate forged envelope senders and HELOs (i.e. in bogus mails). It allows you to score DNSBLs (RBL/RHSBL), HELO, MAIL FROM and client IP addresses before any queuing is done. It allows you to REJECT messages which have a score higher than allowed, providing improved blocking of spam and virus mails. policyd-weight caches the most frequent client/sender combinations (SPAM as well as HAM) to reduce the number of DNS queries.

After the first three SMTP commands (HELO, MAIL FROM: and RCPT TOSmile the client's IP address, corresponding DNS records (A, MX and PTR) and multiple DNSBLs can be checked, verified and scored. If the client tries to forge headers or supplies non-existent DNS or bogus data the spam score will increase, even more so if the client is listed in one or more DNSBLs. Such mails can be rejected while in transfer, before the mail body is received by your MTA. This is different from SpamAssassin or amavisd-new: for scoring or filtering with these programs, mail needs to be accepted and queued, bandwidth is used, CPU-time is wasted and mail cannot be rejected without creating a bounce. Please have a look at the graphical working scheme.

Postfix' built-in checks can be too tough for poorly configured clients: one hit, and the mail gets rejected. policyd-weight is designed to be fair (DynDNS MX users get through if their MTA is setup properly, even if their ISP net is DUL-listed), because its decision whether to reject or accept a mail is based on multiple factors.

Of course you should still have SpamAssassin and Clamav running (especially if you are responsible for a company's security and data). But these programs will have a lot less to do and thus decrease the need for bandwidth and CPU cycles. Also you might not need greylisting (which would make sense for users that receive a lot of new spam, though), SPF, extraordinary whitelists or SQL and other DBs anymore

Greez BeNe
11-02-2007 06:01 AM
Visit this user's website Find all posts by this user Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 2 Guest(s)