Electronic mail: servers
Rejecting known spam domains
If you have identified domains that you would rather not hear from again, use the form check_sender_access maptype:mapname. By default, the map is stored in /usr/local/etc/postfix/access.db. Add the following text to main.cf:
smtpd_sender_restrictions = hash:/usr/local/etc/postfix/access
Note that the .db is missing from the name. Now add this line to the file /usr/local/etc/postfix/access, creating it if necessary:
spamdomain.com 550 Mail rejected. Known spam site.
This form rejects messages from this domain with SMTP error code 550 and the message that follows. As we have seen, postfix reads the file /usr/local/etc/postfix/access.db, not /usr/local/etc/postfix/access. Use the postmap program to create or update /usr/local/etc/postfix/access.db:
# postmap /usr/local/etc/postfix/access
The changes to /usr/local/etc/postfix/main.cf depend on other items as well, so we'll look at them at the end of this discussion. To judge by the name, spamdomain.com is probably a hard-core spam producer. But there are others, notably large ISPs with little or no interest in limiting spam, and they also have innocent users who will also be blocked. If you find out about it, you can make exceptions:
spamdomain.com 550 Mail rejected. Known spam site. innocent@spamdomain.com OK
Don't forget to re-run post map after updating alias. One way is to create a Make file in /usr/local/etc/Postfix with the following contents:
access.db: access /usr/local/sbin/postmap access
Then add the following line to /etc/crontab:
1****root (cd /usr/local/etc/postfix; make) 2>/dev/null >/dev/null
This checks the files every hour and rebuilds /usr/local/etc/postfix/access.db if necessary.
Rejecting sites without reverse lookup
A very large number of spam sites don't have reverse lookup on their IP addresses. You can reject all such mail: after all, it's misconfigured. Just add the reject_unknown_sender_domain keyword to the smtpd_sender_restrictions. Unfortunately, some serious commercial enterprises also don't have reverse lookup. It's your choice whether you want to accept mail from them and open the food gates to spam, or to ignore them. The FreeBSD project has chosen the latter course: if you don't have reverse lookup, you will not be able to send mail to FreeBSD.org.
Rejecting listed sites
Another alternative is to reject sites that have been listed on a public list of spam sites, sometimes referred to as an rbl (Realtime Blackhole List). The example given in the configuration file is http://www.mail-abuse.org/, but there are others as well. They maintain a list of spam sites that you can query before accepting every message.
I don't like these sites for a number of reasons:
- They slow things down.
- They frequently cost money.
- They have a habit of blocking large quantities of address space, including domains who are not in anyway related with the spammers. I don't know anything about MAPS, so I can't comment on whether they do this sort of thing.
If you want to use this kind of service, add the following two lines to your main.cf:
smtpd_client_restrictions = reject_maps_rbl maps_rbl_domains = rbl.maps.vix.com
The name rbl.maps.vix.com comes from the sample file. Replace it with information from your rbl supplier.
Recognizing spoofed messages
There's only so much that postfix can do to restrict spam. The Ports Collection contains a couple of other useful tools, procmail and spamassassin, which together can reject a lot of spam. It involves a fair amount of work, unfortunately. Take a look at the ports if you're interested.
Sender restrictions: summary
The restrictions above are interdependent. I would recommend rejecting senders based on address and lack of reverse lookup. To do that, add just the following lines to your main.cf:
smtpd_sender_restrictions = reject_unknown_sender_domain, hash:/usr/local/etc/postfix/access
Running postfix at boot time
By default, the system starts sendmail at boot time. You don't need to do anything special. Just set the following parameters in /etc/rc.conf:
sendmail_enable="YES" sendmail_flags="-bd" sendmail_outbound_enable="NO" sendmail_submit_enable="NO" sendmail_msp_queue_enable="NO"
The fags have the following meanings:
- sendmail_enable is a bit of a misnomer. It should be called mail_enable.
- -bd means become daemon: postfix runs as a daemon and accepts incoming mail. sendmail uses an additional parameter, usually something like -q30m.This tells sendmail how often to retry sending mail (30 minutes in this example). Postfix accepts this option but ignores it. Instead, you tell it how often to retry mail ("run the queue") with the queue_run_delay parameter in the configuration file, which is set to 1000 seconds, about 16 minutes. A retry attempt takes up local and network resources so don't set this value less than about 15 minutes.
- The other parameters are only there to stop the system from running sendmail as well.
Talking to the MTA
The Simple Mail Transfer Protocol, or SMTP, is a text-based protocol. If you want, you can talk to the MTA directly on the smtp port. Try this with telnet:
$ telnet localhost smtp Trying ::1... telnet: connect to address ::1: Connection refused attempt to connect with IPv6 Trying 127.0.0.1... Connected to localhost. Escape character is ’?]’. 220 freebie.example.org ESMTP Postfix on FreeBSD, the professional’s choice ehlo freebie.example.org say who you are 250-freebie.example.org name 250-PIPELINING and list of available features 250-SIZE 10240000 250-ETRN 250 8BITMIME mail from: grog@example.org who the mail is from 250 Ok rcpt to: grog@example.org and who it goes to 250 Ok data start the message body 354 End data with <CR><LF>.<CR><LF> Test data The message . End of message 250 Ok: queued as 684F081471 quit and exit 221 Bye Connection closed by foreign host.
This rather cumbersome method is useful if you're having trouble with postfix.