Postfix-jp | ||
- Antispam Measures | ||
Modified: 20 Jan., 2003 |
Home > Antispam Measures
This document was contributed by Shannon Lekas (Shannon.lekas-at-flyingmug.com).
This document is subdivided into three sections.
If you have a postfix mail server that you want to allow SMTP connections to as well as IMAP/POP this will help.
Please note this assumes you have a functioning mail server you just want to allow outside users to use outlook instead of IMAP if they want. I know it was a plus for me because SMTP/POP uses a lot less of my DSL bandwidth than IMAP.
What you will need on a pretty standard RH 7.3 box:
You can download these from any rpmfind.net mirror.
perl-File-Tail-0.98-7.noarch.rpm (there was no redhat rpm so i used a PLD linux rpm) perl-Time-HiRes-1.20-14.i386.rpm (for redhat 7.3) perl-Net-Netmask-1.9002-7.noarch.rpm (there was no redhat rpm so i used a PLD linux rpm) pop-before-smtp-1.28-2.noarch.rpm (for redhat 7.3)
Install these 4 rpms via rpm -Uvh filename.rpm.
Next add pop-before-smtp into the startup directories.
$cd /etc/init.d $chkconfig --add pop-before-smtp --level 35
The service will now automatically start in command line or gui mode. You can validate this by looking in /etc/rc3.d/ or rc5.d. You will see a filename such as S##pop-before-smtp in that directory. ## would actually be a number...which will vary by system.
now simply execute
$service pop-before-smtp start
and the service will start.
Now you need to add a line to your main.cf file in postfix.
$cd /etc/postfix $vi main.cf
You will need to add this line to your smtpd_recipient_restrictions : check_client_access hash:/etc/postfix/pop-before-smtp as listed below
smtpd_recipient_restrictions = check_client_access hash:/etc/postfix/pop-before-smtp,
Note that you will most certainly have more entries your client/recipient restrictions....but to utilize pop-before-smtp you need that line.
Then execute:
$postfix reload
Whala. If you connect to your smtp server from outside your network a couple things will happen. In your /var/log/maillog file you will see an smtp connection.
$tail -f /var/log/maillog
when you see that you can then execute.
$strings /etc/postfix/pop-before-smtp.db
you will see an IP of the client you connected with.... this means its working.
Now go to a site like.
http://members.iinet.net.au/~remmie/relay/
You can then try to spam yourself and others using your smtp server and you should reject all attempts. I would try every combination of sender and receiver both local and remote to ensure your protected....and to make sure you didnt cut off any functionality to your existing users.
I found that when trying to exploit my server I was successful at blocking all attempts to spam others..... but I could spam unknown users on my system that ended up in my postmaster account. So here is what I did.
In my aliases file I had to create an alias for all users on the system....and their aliases....as follows.
$vi /etc/postfix/aliases #this is just the end of the file where my users are # custom user aliasing ##################################################################### #Shannon Lekas shannon.lekas: shannon shannon: shannon #Another User another.user: admin user: admin postmaster: admin support: admin
im sure you get the idea. The point is that if a user or alias exists on your system they need to have an entry in the aliases file...even if its just username to username mapping or cname to username mapping. Note that the aliases.db file is for inbound mapping where the canonical.db file is for outbound mapping.
If your an ISP or have hundreds of users....(I only have around 15 so its not a big deal to make these entries) you will want to create a mysql table to host these entries...I wont document that here... but if you want me to just email me at shannon.lekas-at-flyingmug.com and ill do it.
Now that you have successfuly added all your users to your system, execute the following command to build the database file.
$postalias /etc/postfix/aliases
This will create an aliases.db file.
You can execute:
$strings aliases.db
and it will show you all the entries in the indexed flat file. (by the way...if you dont have the strings command you need to get the binutils rpm package from rpmfind.net)
Now that you have the aliases database you need to tell postfix to use it to block incoming mail to unknown users.
Simply add these lines....or uncomment if they are already there.
local_recipient_maps = $alias_maps unix:passwd.byname alias_maps = hash:/etc/postfix/aliases
Now execute:
$postfix reload
Whala...now your all set.
Many people have documented this already...but what the heck...its quick.
If you want to block spam...which we all do. Enter these two lines in your main.cf file.
###################################### #SMTP Anti Relay Entries ###################################### smtpd_client_restrictions = reject_maps_rbl, smtpd_sender_restrictions = reject_maps_rbl,
Again...you will have more lines under each of these.... but as each pertains to anti spamming you need the reject_maps_rbl lines.
Now add the following lines to your main.cf file.
######################################## #Anti Spam Blackholes ######################################## maps_rbl_domains = relays.osirusoft.com, spamhaus.relays.osirusoft.com, sbl.spamhaus.org
You can use any DNS real time blackhole you want... but I have found these very effective....To the order of hundreds of attempts per day.
Now just execute:
$postfix reload
your good to go. If you need help...just send an email.