postfix logo Postfix-jp
- Antispam Measures
Modified: 20 Jan., 2003  


Home > Antispam Measures


This document was contributed by Shannon Lekas (Shannon.lekas-at-flyingmug.com).


This document is subdivided into three sections.

  1. SMTP secure authentication with pop-before-smtp
  2. Prevent Local unknown users from getting spam
  3. Enable Real Time DNS Black Hole lists to prevent spam.

1. SMTP secure authentication with pop-before-smtp

If you have a postfix mail server that you want to allow SMTP connections to as well as IMAP/POP this will help.

Please note this assumes you have a functioning mail server you just want to allow outside users to use outlook instead of IMAP if they want. I know it was a plus for me because SMTP/POP uses a lot less of my DSL bandwidth than IMAP.

What you will need on a pretty standard RH 7.3 box:

You can download these from any rpmfind.net mirror.

perl-File-Tail-0.98-7.noarch.rpm
    (there was no redhat rpm so i used a PLD linux rpm)     
perl-Time-HiRes-1.20-14.i386.rpm (for redhat 7.3)
perl-Net-Netmask-1.9002-7.noarch.rpm
    (there was no redhat rpm so i used a PLD linux rpm)  
pop-before-smtp-1.28-2.noarch.rpm (for redhat 7.3)

Install these 4 rpms via rpm -Uvh filename.rpm.

Next add pop-before-smtp into the startup directories.

$cd /etc/init.d
$chkconfig --add pop-before-smtp --level 35

The service will now automatically start in command line or gui mode. You can validate this by looking in /etc/rc3.d/ or rc5.d. You will see a filename such as S##pop-before-smtp in that directory. ## would actually be a number...which will vary by system.

now simply execute

$service pop-before-smtp start

and the service will start.

Now you need to add a line to your main.cf file in postfix.

$cd /etc/postfix
$vi main.cf

You will need to add this line to your smtpd_recipient_restrictions : check_client_access hash:/etc/postfix/pop-before-smtp as listed below

smtpd_recipient_restrictions =
        check_client_access hash:/etc/postfix/pop-before-smtp,

Note that you will most certainly have more entries your client/recipient restrictions....but to utilize pop-before-smtp you need that line.

Then execute:

$postfix reload

Whala. If you connect to your smtp server from outside your network a couple things will happen. In your /var/log/maillog file you will see an smtp connection.

$tail -f /var/log/maillog

when you see that you can then execute.

$strings /etc/postfix/pop-before-smtp.db

you will see an IP of the client you connected with.... this means its working.

Now go to a site like.
http://members.iinet.net.au/~remmie/relay/

You can then try to spam yourself and others using your smtp server and you should reject all attempts. I would try every combination of sender and receiver both local and remote to ensure your protected....and to make sure you didnt cut off any functionality to your existing users.


2. Prevent Local unknown users from getting spam

I found that when trying to exploit my server I was successful at blocking all attempts to spam others..... but I could spam unknown users on my system that ended up in my postmaster account. So here is what I did.

In my aliases file I had to create an alias for all users on the system....and their aliases....as follows.

$vi /etc/postfix/aliases
#this is just the end of the file where my users are
# custom user aliasing
#####################################################################
#Shannon Lekas
shannon.lekas:  shannon
shannon:      	shannon

#Another User
another.user:   admin
user:          	admin
postmaster:     admin
support:        admin

im sure you get the idea. The point is that if a user or alias exists on your system they need to have an entry in the aliases file...even if its just username to username mapping or cname to username mapping. Note that the aliases.db file is for inbound mapping where the canonical.db file is for outbound mapping.

If your an ISP or have hundreds of users....(I only have around 15 so its not a big deal to make these entries) you will want to create a mysql table to host these entries...I wont document that here... but if you want me to just email me at shannon.lekas-at-flyingmug.com and ill do it.

Now that you have successfuly added all your users to your system, execute the following command to build the database file.

$postalias /etc/postfix/aliases

This will create an aliases.db file.

You can execute:

$strings aliases.db 

and it will show you all the entries in the indexed flat file. (by the way...if you dont have the strings command you need to get the binutils rpm package from rpmfind.net)

Now that you have the aliases database you need to tell postfix to use it to block incoming mail to unknown users.

Simply add these lines....or uncomment if they are already there.

local_recipient_maps = $alias_maps unix:passwd.byname
alias_maps = hash:/etc/postfix/aliases

Now execute:

$postfix reload

Whala...now your all set.


3. Enable Real Time DNS Black Hole lists to prevent spam.

Many people have documented this already...but what the heck...its quick.

If you want to block spam...which we all do. Enter these two lines in your main.cf file.

######################################
#SMTP Anti Relay Entries 		    
######################################        
smtpd_client_restrictions = 
        reject_maps_rbl,
        
smtpd_sender_restrictions =
        reject_maps_rbl,

Again...you will have more lines under each of these.... but as each pertains to anti spamming you need the reject_maps_rbl lines.

Now add the following lines to your main.cf file.

########################################
#Anti Spam Blackholes
########################################
maps_rbl_domains =
        relays.osirusoft.com,
        spamhaus.relays.osirusoft.com,
        sbl.spamhaus.org 

You can use any DNS real time blackhole you want... but I have found these very effective....To the order of hundreds of attempts per day.

Now just execute:

$postfix reload 

your good to go. If you need help...just send an email.



ike@kobitosan.net