Last night at NCLUG, I gave a quickie talk on a simple Postfix Makefile I had built, for making management easier. The talk also turned to some of the anti-spam measures we use to make our mailboxes useful again. Here are some references.
My Postfix Makefile, including changes so that it doesn't trigger a reload on updating of .db files as suggested by Aaron Johnson, is up at ftp://ftp.tummy.com/pub/tummy/postfix/Makefile/. Download and put it in your /etc/postfix directory and run "make" to update the files.
This Makefile assumes that you have maps for "access-ip", "access-helo", "access-mailfrom" and "access-rcptto". It also looks for a "virtual-regexp" to map addresses (regexp "aliases", effectively), "header_checks" and "body"checks" (which are regexps to look for that are spam or virus reports). Here are the relevant sections of the "main.cf":
header_checks = regexp:/etc/postfix/header_checks body_checks = regexp:/etc/postfix/body_check smtpd_recipient_restrictions = permit_mynetworks reject_non_fqdn_hostname reject_invalid_hostname reject_unauth_destination check_recipient_access hash:/etc/postfix/access-rcptto smtpd_helo_restrictions = permit_mynetworks check_helo_access hash:/etc/postfix/access-helo reject_non_fqdn_hostname reject_invalid_hostname smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/access-mailfrom check_client_access hash:/etc/postfix/access-ip reject_unknown_sender_domain reject_non_fqdn_sender smtpd_client_restrictions = check_client_access hash:/etc/postfix/access-ip
One of the most effective actions we've taken with Postfix is to list our IP address in the "access-helo" file. Many spammers are sending messages and starting the connection with "HELO <our IP address<". As you may be aware, the "HELO" argument is supposed to specify the sending mail server name, not the receiving IP address.
I just checked the logs and we've averaged 6,269 messages rejected per day this week because of that rule alone. That's roughly 20% of all SMTP connections we get, or nearly 7 times the number of legitimate e-mail messages we get.
I'd highly recommend that you look at what's getting sent in the "HELO" to your mail servers.comments powered by Disqus