Postfix & anti-spam optimization

ddaas · 06-21-2011, 08:07 AM

Hello,
My postfix server has been working great for the last 1-2 years. Lately the number of spams encreased (from 1-2 every day to aprox 8-10 every day per domain for some domains ).

I post here the output of postconf -n. Maybe someone gives me some advices about what cat I change or how can I optimize. I must recognise that I don't fully understand details of how postfix and all the restrictions works together, but I will document every advice.

Thanks

Code:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
inet_interfaces = all
mailbox_size_limit = 0
mydestination = cma.xx, cma.cma.xx, localhost.cma.xx, localhost
myhostname = mail.xx.xx
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relayhost = 
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_hostname permit
smtpd_recipient_restrictions = reject_non_fqdn_sender reject_non_fqdn_recipient permit_mynetworks permit_sasl_authenticated reject_unauth_destination reject_sender_login_mismatch reject_invalid_hostname reject_unknown_sender_domain  reject_unknown_recipient_domain reject_unverified_recipient reject_unlisted_recipient reject_invalid_helo_hostname check_sender_access hash:/etc/postfix/access_sender check_helo_access pcre:/etc/postfix/helo_checks reject_unknown_sender_domain reject_rbl_client zen.spamhaus.org, reject_rhsbl_sender    dsn.rfc-ignorant.org permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = reject_unknown_sender_domain, reject_non_fqdn_sender, permit
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_alias_maps = hash:/etc/postfix/valias.txt
virtual_gid_maps = static:1000
virtual_mailbox_base = /var/spool/vmail
virtual_mailbox_domains = /etc/postfix/vhost.txt
virtual_mailbox_maps = hash:/etc/postfix/vmaps.txt
virtual_uid_maps = static:1000

Skaperen · 06-21-2011, 11:56 AM

What other anti-spam utilities are you using? It is not obvious from main.cf just what you are doing. You should have amavis and clamav to run all the arriving mail through to help filter spam.

ddaas · 06-22-2011, 04:14 AM

As I know amavis and clamav are anti-virus software and not anti-spam.

In fact I am interested what could I optimize here:

Code:

smtpd_recipient_restrictions = reject_non_fqdn_sender reject_non_fqdn_recipient permit_mynetworks permit_sasl_authenticated reject_unauth_destination reject_sender_login_mismatch reject_invalid_hostname reject_unknown_sender_domain  reject_unknown_recipient_domain reject_unverified_recipient reject_unlisted_recipient reject_invalid_helo_hostname check_sender_access hash:/etc/postfix/access_sender check_helo_access pcre:/etc/postfix/helo_checks reject_unknown_sender_domain reject_rbl_client zen.spamhaus.org, reject_rhsbl_sender    dsn.rfc-ignorant.org permit

Noway2 · 06-22-2011, 05:05 AM

Here are a couple of threads where I have discussed this. In particular, this thread, discusses using anti-spam measures in layers which is one of the key things that you will need to do. This thread has some tips that are quite recent as I have been having a problem with a real increase in spam too.

As I mention in the threads, you will need to apply your spam filtering in layers. Start with greylisting, which will require the sender to use a compliant mail client. Then use HELO restrictions to keep some junk from even being queued up. Follow this with some DNS checks, such as the RBL list. Note, this is a YMMV issue, but I had to place the spamhaus check towards the top in my list or else messages would be accepted before the check. I think it may have been a conflict with the Amavis checks. Next, use a content filter such as DSpam or Spamassassin. These are resource intense so if you can reject it before it gets there your better off. Amavis works with Spamassassin by co-ordinating the filtering of your mail of which virus checking is a part, but it isn't just for viruses. I found I was having a real problem with certain senders and regions which I blocked. If you find that you have a problem with repeat offenders, look up the domain by the AS number and block their entire IP range. Also watch your reject codes. A 400 level code, typical of a DNS problem, is a temporary code and may just cause the stuff to keep coming back. Lastly, consider reporting the stuff that does get through to Spamcop and cause grief for their ISPs.

Once you install the content filter, e.g. Spamassassin, it will take some time to train it as far as what is spam and what is not, as well as tweaking the rules.

In any case, implement one thing at a time and see what effect it has. If you do too much at once, you won't know how effective a particular measure was.

ddaas · 06-22-2011, 05:26 AM

Thanks. I will read those threads you have recommended.