More anti-spam and e-mail defence measures
It is possible to make further adjustments to the e-mail system to harden it against spam and attacks through config changes to the command line.
Install the Greylisting app
This is a basic antispam measure, but please read the documentation, especially the section about updating /etc/postfix/postgrey_whitelist_clients. You can add a basic two line file to /etc/cron.monthly or /etc/cron.weekly:
wget -q -N http://postgrey.schweikert.ch/pub/postgrey_whitelist_clients -O /etc/postfix/postgrey_whitelist_clients /bin/systemctl condrestart postgrey.service
You can also maintain your own whitelist at /etc/postfix/postgrey_whitelist_clients.local. I whitelist Ebay and PayPal as the sender often changes as you do transactions with different vendors or purchasers and it saves having to wait five minutes for each new e-mail.
If you monitor your maillog for “postgrey” messages, you may find more senders to add to the whitelist, especially regular senders who retry too quickly and senders who, when they retry, retry from a different IP address.
Reorganise how you send mail from your clients
See the Security Considerations section of the SMTP server docs. Simplified, it comes down to:
- Turn off SMTP Authentication.
- Configure any devices (phones, tablets, laptops) which are going to send e-mails via your server from the internet to use STARTTLS on port 587 (preferred) or SMTPS on port 465 rather than SMTP on port 25.
- Open the Incoming Firewall to the SMTPS or SMTP STARTTLS service if you want to send mail from the internet.
- Fixed devices on your LAN should either use STARTTLS on port 587 (preferable), SMTPS on port 465 (second best option) or add your LAN(s) to the Trusted Networks in the SMTP Server (easier).
If you don't do this, you may have to add “permit_sasl_authenticated” to some of the smtpd_client_restrictions restrictions below.
Stop senders with no Reverse-DNS Record
It is a mandatory requirement of the e-mail RFC's that every sending MTA has an IP address resolves to a PTR record (a Reverse DNS record). The PTR record does not have to be the same as the sending FQDN; it just must exist. Typically dynamic IP's may not have a PTR record and, if sending mail, may just be compromised machines. They make good candidates for blocking. These are the postfix/smtpd “connect from unknown” messages in the maillog. To block these from getting any further than connecting (so they can't actually send the message) add a line to /etc/postfix/main.cf:
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_reverse_client_hostname
I had to add the “permit_mynetworks” bit recently because of docker images (ClearGLASS) sending e-mails and these have no PTR records in ClearOS.
Trust the spamhaus.org Reputation Block List
spamhaus.org have some very reliable spam blacklists but please read their pages. You can reject e-mails coming from sources on their blacklists before they even come into your mail system. This means the mail never gets as far as as the anti-spam checking so will never get [SPAM] tagged as it does not get received. To trust spamhaus.org in this way add:
reject_rbl_client zen.spamhaus.org
to the smtpd_recipient_restrictions parameter in /etc/postfix/main.cf
warn_if_reject reject_rbl_client zen.spamhaus.org
to smtpd_recipient_restrictions then monitor you mail log. Once you are confident of it working, remove the “warn_if_reject”
Other Parameters for smtpd_recipient_restrictions
There are more restrictions you can add to smtpd_recipient_restrictions in /etc/postfix/main.cf which I have found to be effective:
reject_non_fqdn_hostname reject_non_fqdn_sender reject_non_fqdn_recipient reject_invalid_hostname
These have been found to be very effective and are best added before the Greylist checking parameter:
check_policy_service unix:/var/spool/postfix/postgrey/socket
warn_if_reject
before each parameter then monitor you mail log. e.g.
warn_if_reject reject_non_fqdn_sender
Then check your mail logs to see what would be rejected by the parameter. Once you are confident of it working, remove the “warn_if_reject”
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_invalid_hostname, check_policy_service unix:/var/spool/postfix/postgrey/socket, reject_unauth_pipelining, reject_unknown_recipient_domain, reject_rbl_client zen.spamhaus.org
I've split the line to help it to display correctly, but it will work when split like this or as a single line.
reject_unknown_sender_domain
as I've seen mis-configurations by a big company (EE) and this would reject valid e-mails.
Other useful standalone parameters
The following are standalone parameters for /etc/postfix/main.cf
disable_vrfy_command
disable_vrfy_command = yes
This stops some techniques used to harvest email addresses.
strict_rfc821_envelopes
strict_rfc821_envelopes=yes
This may cause problems with home-grown applications that send mail, and with ancient PC mail clients so defaults to “no” but it is worth trying. It may stop the odd spam e-mail.
smtpd_helo_required
smtpd_helo_required = yes
This may cause problems with home-grown applications that send mail so defaults to “no”, but should be fine for mail coming from commercial e-mail packages. It is worth trying.
Stopping mail from the internet from fictitious users of your domain
If your domain is example.com and you receive a lot of spam from senders such as [email protected], [email protected] etc, this is easy to stop.
If you follow the recommendation Reorganise how you send mail from your clients then no one from example.com will be sending you email from the internet through port 25 as valid users will be using port 465 (or 587). It is then easy to filter out this offending mail.
example.com REJECT
Run the command:
postmap /etc/postfix/access
Then add to /etc/postfix/main.cf:
smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, check_sender_access hash:/etc/postfix/access
Then restart the SMTP server (not reload) through the Webconfig or with a:
service postfix restart # ClearOS 6.x systemctl restart postfix.service # ClearOS 7.x