Howdy, all!
I am using Postfix for a small business/family e-mail domain. It's
pretty low volume, and I am really doing it as much to keep current on
Postfix as anything. We're getting positively hammered by spam. I used
to use Spamassassin when I was a Sendmail guy, but I have not had time
to set it up for Postfix. It's definitely on my list, just... life.
For spam abatement, I am using Spamhaus, and it's helping a lot, but
we're still getting a ton of spam.
So I have set up a rule:
check_sender_access regexp:/etc/postfix/sender_access
The sender_access file rejects everything from the "*.onmicrosoft.com"
domain, as we've never received a single non-spam email from those domains.
I've also started rejecting everything from all emails from these domains:
.pro
.date
.science
.top
.download
.work
.click
.link
.diet
.review
.party
.zip
.xyz
.stream
.bid
.shop
.best
.world
It has TREMENDOUSLY lowered our spam load, but, naturally, I'm worried
about the rare case where someone actually needs to receive email from
someone dumb enough to use one of those domains.
Here is my main.cf, with some basic obfuscations:
compatibility_level = 2
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
inet_interfaces = all
inet_protocols = ipv4
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
unknown_local_recipient_reject_code = 550
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix/samples
readme_directory = /usr/share/doc/postfix/README_FILES
smtpd_tls_cert_file = /etc/letsencrypt/live/mydomain/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mydomain/privkey.pem
smtpd_tls_security_level = may
smtp_tls_CApath = /etc/pki/tls/certs
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtp_tls_security_level = may
meta_directory = /etc/postfix
shlib_directory = /usr/lib64/postfix
myhostname = [obfuscated].camerontech.com
mydomain = camerontech.com
myorigin = $mydomain
mynetworks = 127.0.0.0/8, [obfuscated]/19
home_mailbox = Maildir/
smtpd_banner = $myhostname ESMTP
disable_vrfy_command = yes
smtpd_helo_required = yes
message_size_limit = 20971520
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
rbl_reply_maps = hash:$config_directory/dnsbl-reply-map
smtpd_recipient_restrictions =
check_sender_access regexp:/etc/postfix/sender_access
permit_mynetworks
permit_auth_destination
permit_sasl_authenticated
reject_rbl_client [obfuscated].zen.dq.spamhaus.net=127.0.0.[2..11]
reject_rhsbl_sender [obfuscated].dbl.dq.spamhaus.net=127.0.1.[2..99]
reject_rhsbl_helo [obfuscated].dbl.dq.spamhaus.net=127.0.1.[2..99]
reject_rhsbl_reverse_client
[obfuscated].dbl.dq.spamhaus.net=127.0.1.[2..99]
reject_rhsbl_sender [obfuscated].zrd.dq.spamhaus.net=127.0.2.[2..24]
reject_rhsbl_helo [obfuscated].zrd.dq.spamhaus.net=127.0.2.[2..24]
reject_rhsbl_reverse_client
[obfuscated].zrd.dq.spamhaus.net=127.0.2.[2..24]
reject
smtpd_client_restrictions = permit_mynetworks,
reject_unknown_client_hostname, permit
smtpd_sender_restrictions = permit_mynetworks,
reject_unknown_sender_domain, reject_non_fqdn_sender
smtpd_helo_restrictions = permit_mynetworks, reject_unknown_hostname,
reject_non_fqdn_hostname, reject_invalid_hostname, permit
mynetworks_style = host
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
virtual_alias_domains = [obfuscated list]
virtual_alias_maps = hash:/etc/postfix/virtual
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
So my overarching question is, am I being dense by rejecting these
spammy domains? My sender_access file looks like this:
/@*.onmicrosoft\.com/ REJECT
/\.pro$/ REJECT We reject all .pro domains. Contact thomas dot cameron
at camerontech dot com from a trusted email service if you need assistance.
/\.date$/ REJECT We reject all .date domains. Contact thomas dot cameron
at camerontech dot com from a trusted email service if you need assistance.
/\.science$/ REJECT We reject all .science domains. Contact thomas dot
cameron at camerontech dot com from a trusted email service if you need
assistance.
/\.top$/ REJECT We reject all .top domains. Contact thomas dot cameron
at camerontech dot com from a trusted email service if you need assistance.
/\.download$/ REJECT We reject all .download domains. Contact thomas dot
cameron at camerontech dot com from a trusted email service if you need
assistance.
/\.work$/ REJECT We reject all .work domains. Contact thomas dot cameron
at camerontech dot com from a trusted email service if you need assistance.
/\.click$/ REJECT We reject all .click domains. Contact thomas dot
cameron at camerontech dot com from a trusted email service if you need
assistance.
/\.link$/ REJECT We reject all .link domains. Contact thomas dot cameron
at camerontech dot com from a trusted email service if you need assistance.
/\.diet$/ REJECT We reject all .diet domains. Contact thomas dot cameron
at camerontech dot com from a trusted email service if you need assistance.
/\.review$/ REJECT We reject all .review domains. Contact thomas dot
cameron at camerontech dot com from a trusted email service if you need
assistance.
/\.party$/ REJECT We reject all .party domains. Contact thomas dot
cameron at camerontech dot com from a trusted email service if you need
assistance.
/\.zip$/ REJECT We reject all .zip domains. Contact thomas dot cameron
at camerontech dot com from a trusted email service if you need assistance.
/\.xyz$/ REJECT We reject all .xyz domains. Contact thomas dot cameron
at camerontech dot com from a trusted email service if you need assistance.
/\.stream$/ REJECT We reject all .stream domains. Contact thomas dot
cameron at camerontech dot com from a trusted email service if you need
assistance.
/\.bid$/ REJECT We reject all .bid domains. Contact thomas dot cameron
at camerontech dot com from a trusted email service if you need assistance.
/\.shop$/ REJECT We reject all .shop domains. Contact thomas dot cameron
at camerontech dot com from a trusted email service if you need assistance.
/\.best$/ REJECT We reject all .best domains. Contact thomas dot cameron
at camerontech dot com from a trusted email service if you need assistance.
/\.world$/ REJECT We reject all .world domains. Contact thomas dot
cameron at camerontech dot com from a trusted email service if you need
assistance.
So at least they they get instructions on how to let me know that I need
to add their specific address to a whitelist if they need to email us.
Am I smoking crack? Or is this pretty reasonable? Or should I just
knuckle down and set up Spamassassin or some other anti-spam tool (I'm
totally open to suggestions, I just have experience with SA from a past
life)
--
Thanks!
Thomas Cameron, RHCE, AWS SA-Pro
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
