Postfix/Miscellaneous anti-spam measures

This page lists miscellaneous anti-spam measures that can help prevent unwanted inbound mail to your postfix server.

HELO/EHLO spoofing countermeasure

First create the following file, where the IP addresses and domain names in the first three lines represent those of your own server.

/^myhost\.mydomain\.tld$/          550 Rejected
/^xxx\.yyy\.zzz\.xxx$/             550 Rejected
/^\[xxx\.yyy\.zzz\.xxx\]$/         550 Rejected
/^[0-9.]+$/                        550 Rejected
/^[0-9]+(\.[0-9]+){3}$/            550 Rejected

We then add a regexp:/etc/postfix/helo.regexp entry to the smtpd_helo_restrictions directive in main.cf, as follows.

smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, regexp:/etc/postfix/helo.regexp, permit

To put this in to action, reload postfix's configuration as follows.

Ban obviously dangerous attachment file extensions

If you are looking after windows users, you may wish to reject certain attachment file extensions.

/filename=\"?(.*)\.(bat|chm|cmd|com|cpl|do|exe|hta|jse|rm|scr|pif|vbe|vbs|vxd|xl|zip)\"?$/
   REJECT Attachment type banned.
/^\s*Content-(Disposition|Type).*name\s*=\s*"?(.+\.(lnk|cpl|asd|hlp|ocx|reg|bat|c[ho]m|cmd|exe|dll|vxd|pif|scr|hta|jse?|sh[mbs]|vb[esx]|ws[fh]|wav|mov|wmf|xl))"?\s*$/
      REJECT File "$2" attachment type "$3" banned.

You will then need to tell Postfix to process this file.

mime_header_checks = regexp:/etc/postfix/mime_header_checks.regexp

To put this in to action, reload postfix's configuration as follows.

Reducing information leaks

With default settings, smartly written spam bots might just figure out which policy they are running up against when they attempt to send mail and are rejected. The suggestion is therefore to change rejection codes to a single, generic code in order to confuse such bots. What impact this has on legitimate clients is something you will have to test out... apparently some people use it and it works.

invalid_hostname_reject_code = 554
multi_recipient_bounce_reject_code = 554
non_fqdn_reject_code = 554
relay_domains_reject_code = 554
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unknown_sender_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_sender_reject_code = 554

To put this in to action, reload postfix's configuration as follows.

Enforce complete SMTP implementations

These checks are basic but help to weed out spam bots that have been written poorly and do not confirm to RFCs, as well as spam bots that attempt to enumerate local addresses via the SMTP VRFY command.

smtpd_helo_required = yes
disable_vrfy_command = yes
strict_rfc821_envelopes = yes

To put this in to action, reload postfix's configuration as follows.

Ban failed authentication attempts

If you are using SASL to authenticate clients on whose behalf you wish to relay mail, then it is strongly recommended that you install a system such as Fail2ban that will prohibit brute force username/password enumeration. In addition, you should ensure that your password policy requires hard to guess passwords (not dictionary words, special characters included, decent minimum length, etc.)