Electronic mail: servers

Rejecting known spam domains

If you have identified domains that you would rather not hear from again, use the form check_sender_access maptype:mapname. By default, the map is stored in /usr/local/etc/postfix/access.db. Add the following text to main.cf:

smtpd_sender_restrictions = hash:/usr/local/etc/postfix/access

Note that the .db is missing from the name. Now add this line to the file /usr/local/etc/postfix/access, creating it if necessary:

spamdomain.com 550 Mail rejected. Known spam site.

This form rejects messages from this domain with SMTP error code 550 and the message that follows. As we have seen, postfix reads the file /usr/local/etc/postfix/access.db, not /usr/local/etc/postfix/access. Use the postmap program to create or update /usr/local/etc/postfix/access.db:

# postmap /usr/local/etc/postfix/access

The changes to /usr/local/etc/postfix/main.cf depend on other items as well, so we'll look at them at the end of this discussion. To judge by the name, spamdomain.com is probably a hard-core spam producer. But there are others, notably large ISPs with little or no interest in limiting spam, and they also have innocent users who will also be blocked. If you find out about it, you can make exceptions:

spamdomain.com          550          Mail rejected. Known spam site.
innocent@spamdomain.com OK

Don't forget to re-run post map after updating alias. One way is to create a Make file in /usr/local/etc/Postfix with the following contents:

access.db: access
    /usr/local/sbin/postmap access

Then add the following line to /etc/crontab:

1****root (cd /usr/local/etc/postfix; make) 2>/dev/null >/dev/null

This checks the files every hour and rebuilds /usr/local/etc/postfix/access.db if necessary.

Rejecting sites without reverse lookup

A very large number of spam sites don't have reverse lookup on their IP addresses. You can reject all such mail: after all, it's misconfigured. Just add the reject_unknown_sender_domain keyword to the smtpd_sender_restrictions. Unfortunately, some serious commercial enterprises also don't have reverse lookup. It's your choice whether you want to accept mail from them and open the food gates to spam, or to ignore them. The FreeBSD project has chosen the latter course: if you don't have reverse lookup, you will not be able to send mail to FreeBSD.org.

Rejecting listed sites

Another alternative is to reject sites that have been listed on a public list of spam sites, sometimes referred to as an rbl (Realtime Blackhole List). The example given in the configuration file is http://www.mail-abuse.org/, but there are others as well. They maintain a list of spam sites that you can query before accepting every message.

I don't like these sites for a number of reasons:

• They slow things down.
• They frequently cost money.
• They have a habit of blocking large quantities of address space, including domains who are not in anyway related with the spammers. I don't know anything about MAPS, so I can't comment on whether they do this sort of thing.

If you want to use this kind of service, add the following two lines to your main.cf:

smtpd_client_restrictions = reject_maps_rbl
maps_rbl_domains = rbl.maps.vix.com

The name rbl.maps.vix.com comes from the sample file. Replace it with information from your rbl supplier.

Recognizing spoofed messages

There's only so much that postfix can do to restrict spam. The Ports Collection contains a couple of other useful tools, procmail and spamassassin, which together can reject a lot of spam. It involves a fair amount of work, unfortunately. Take a look at the ports if you're interested.

Sender restrictions: summary

The restrictions above are interdependent. I would recommend rejecting senders based on address and lack of reverse lookup. To do that, add just the following lines to your main.cf:

smtpd_sender_restrictions = reject_unknown_sender_domain,
      hash:/usr/local/etc/postfix/access

Running postfix at boot time

By default, the system starts sendmail at boot time. You don't need to do anything special. Just set the following parameters in /etc/rc.conf:

sendmail_enable="YES"
sendmail_flags="-bd"
sendmail_outbound_enable="NO"
sendmail_submit_enable="NO"
sendmail_msp_queue_enable="NO"

The fags have the following meanings:

• sendmail_enable is a bit of a misnomer. It should be called mail_enable.
• -bd means become daemon: postfix runs as a daemon and accepts incoming mail. sendmail uses an additional parameter, usually something like -q30m.This tells sendmail how often to retry sending mail (30 minutes in this example). Postfix accepts this option but ignores it. Instead, you tell it how often to retry mail ("run the queue") with the queue_run_delay parameter in the configuration file, which is set to 1000 seconds, about 16 minutes. A retry attempt takes up local and network resources so don't set this value less than about 15 minutes.
• The other parameters are only there to stop the system from running sendmail as well.

Talking to the MTA

The Simple Mail Transfer Protocol, or SMTP, is a text-based protocol. If you want, you can talk to the MTA directly on the smtp port. Try this with telnet:

$ telnet localhost smtp
Trying ::1...
telnet: connect to address ::1: Connection refused attempt to connect with IPv6
Trying 127.0.0.1...
Connected to localhost.
Escape character is ’?]’.
220 freebie.example.org ESMTP Postfix on FreeBSD, the professional’s choice
ehlo freebie.example.org      say who you are
250-freebie.example.org name
250-PIPELINING                and list of available features
250-SIZE 10240000
250-ETRN
250 8BITMIME
mail from: grog@example.org   who the mail is from
250 Ok
rcpt to: grog@example.org     and who it goes to
250 Ok
data start                    the message body
354 End data with <CR><LF>.<CR><LF>
Test data The message
.                            End of message
250 Ok: queued as 684F081471
quit                         and exit
221 Bye
Connection closed by foreign host.

This rather cumbersome method is useful if you're having trouble with postfix.