Antispam by postfix + spamassassin
I have a small domain, which I support and at one point, spam has gotten so much that it was decided to minimize it as much as possible. As a result, I am more than pleased with spam. In principle, I don’t see 1 letter in 3-4 months falling into inbox. Of course there are false positives, but they are mostly from mailings.
This is my personal configuration which I want to share, maybe some things can be done better, I do not deny it. Also, depending on the site, you will need to do your tuning in a certain direction.
So for this we need postfix, spamassassin, amavisd-new. I use Debian, we put packages apt-get install postfix, postfix-pcre, spamassassin, amavisd-new
Configuration file /etc/postfix/main.cf
myhostname = mail.example.com
mydestination = $ myhostname
mynetworks = 127.0.0.0/8 # networks from which you can receive mail without authorization for relay.
')
smtpd_banner = $ myhostname ESMTP $ mail_name
biff = no
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/postfix/mail.pem
smtpd_tls_key_file = $ smtpd_tls_cert_file
smtpd_tls_received_header = yes # Add TLS session headers to email
smtpd_tls_auth_only = yes # Authorization only if TLS session is established
smtpd_tls_session_cache_database = btree: $ {queue_directory} / smtpd_scache
smtp_tls_session_cache_database = btree: $ {queue_directory} / smtp_scache
# appending .domain is the MUA's job.
append_dot_mydomain = no
alias_maps = hash: / etc / aliases
virtual_alias_maps = hash: / etc / postfix / virtual
proxy_interfaces = 1.1.1.1 # ip address on the WAN interface, if your server uses the internal address.
smtpd_helo_required = yes
strict_rfc_envlopes = yes
disable_vrfy_command = yes
# smtpd_delay_reject = yes - Defalt therefore all rules are applied only after the RCPT TO command.
smtpd_recipient_restrictions =
reject_non_fqdn_sender
reject_non_fqdn_recipient
reject_unlisted_recipient
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
reject_unknown_sender_domain
reject_unknown_recipient_domain
check_recipient_access hash: / etc / postfix / spam_trap # list of addresses that eat spam without restrictions.
reject_unknown_reverse_client_hostname
reject_invalid_hostname
reject_non_fqdn_hostname
check_client_access cidr: / etc / postfix / trusted_IP # blank sheet
check_helo_access pcre: / etc / postfix / helo_checks # regular expressions for catching typical HELO spam.
check_helo_access hash: / etc / postfix / helo_checks_text
check_sender_access hash: / etc / postfix / not_our_domain_as_sender # If the sender is in our domain, require authorization
check_sender_mx_access cidr: / etc / postfix / sender_mx_access # list of non routable networks
## Looking up for DNSBL
reject_rbl_client zen.spamhaus.org
permit
smtpd_data_restrictions =
reject_multi_recipient_bounce
reject_unauth_pipelining # You can use this option outside data_restriction only if smtpd_delay_reject = NO is set, for example, to delay the display of a greeting (HELO)
smtpd_etrn_restrictions = reject
smtpd_soft_error_limit = 3
header_checks = pcre: / etc / postfix / header_checks # normal checking for the presence in the Recived fields of our domain
mime_header_checks = pcre: / etc / postfix / mime_header_checks # lock attachments
# This is part of the config for authorization through dovecot and sending letters to the repository.
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private / auth
smtpd_sasl_authenticated_header = yes
dovecot_destination_recipient_limit = 1
mailbox_transport = dovecot
virtual_transport = dovecot
virtual_mailbox_domains = example.com
virtual_mailbox_maps = hash: / etc / postfix / vmailbox
/ etc / postfix / helo_checks
/^mail\.example\.com$/ Reject That's my hostname, use your own
/^1\.1\.1\.1$/ Reject That's my IP address, use your own
/^[1\.1\.1\.1[$/ Reject That's my IP address, use your own
/^[0-9. +$/ Reject Your client not RFC 2821 compilant
/( [0-9] )1 1,3 []. [] [] 0-9 [)] [] [] [] (] 0) [] {1,3} / 553 SPAM-raw-ip-in-helo
/(||[0-9.-â‚˝ )(([axvralsdsl|isadsl|as|bgp|dynamicIP|broadband|cable|[ckcklient|dhcp|dial|dialin|dialup|dialer|dip|dslb | dup | dyn | dynamic | host | ip | isdn | modem | nas | node | pool | ppp | pppo [ae] | sirius. * ukrtel. * | user | users | vpn) [0-9 .-] / i 553 SPAM_DYNAMIC-in-helo
/([0-9[*-){3}[0-9â‚˝*(\\\\\\**2 SPAM-ip-add-rr-ess_networks-in-helo
/( [0-9] SP3-ip-add-rr-ess_networks-in-helo
/smtp[-0-9[*\\.orange\.nl/i 553 SPAM-orange.nl
/smtp[-0-9[*\\.orange\.fr/i 553 SPAM-orange.fr
/\.lan$/i 533 SPAM-lan-in-helo
/ etc / postfix / sender_mx_access
127.0.0.0/8 Reject MX points to LOCALHOST
192.168.0.0/16 Reject MX points to RFC1918 unreachbale network
10.0.0.0/8 Reject MX points to RFC1918 unreachable network
172.16.0.0/12 Reject MX points to RFC1918 unreachable network
14.0.0.0/8 Reject MX points to RFC3330 special network
224.0.0.0/4 Reject MX in class D multicast network
/ etc / postfix / header_checks
if / ^ Received: /
/ ^ Received: + from + (example \ .com) + /
reject forged client name in Received: header: $ 1
/ ^ Received: + from + [^] + + \ (([^] + + [he] + lo = | [he] + lo +) (example \ .com) \) /
reject forged client name in Received: header: $ 2
/^Received:.* + by + (example \ .com) \ b /
mail server name in Received: header: $ 1
All addresses that are listed in / etc / postfix / spam_trap, are also present in / etc / postfix / virtual where they are all sent to one spam@example.com mailbox.
/etc/amavis/conf.d/50-user
$ max_servers = 8; # num of pre-forked children (2..15 is common), -m
$ mydomain = 'example.com'; # a convenient default for other settings
@local_domains_maps = ([". $ mydomain", '.example.org']);
$ sa_spam_subject_tag = 'Spam>';
$ sa_tag2_level_deflt = 6.0; # add 'spam detected' headers at that level
$ sa_kill_level_deflt = 14.0; # triggers spam evasive actions (eg blocks mail)
$ final_banned_destiny = D_REJECT;
$ final_spam_destiny = D_REJECT;
@bypass_spam_checks_maps = (
\% bypass_spam_checks, \ @bypass_spam_checks_acl, \ $ bypass_spam_checks_re);
@spam_lovers_maps = (['spam@example.org'],);
Edit /etc/spamassassin/local.cf
clear_internal_networks
internal_networks 192.168.0.0/24
bayes_auto_learn 1
bayes_path /var/lib/amavis/.spamassassin/bayes
bayes_auto_learn_threshold_nonspam -0.1
score BAYES_00 0.0001 0.0001 -6.0 -6.0
score BAYES_05 0.0001 0.0001 -3.0 -3.0
score BAYES_20 0.0001 0.0001 -1.0 -1.0
score BAYES_50 0.0001 0.0001 1.6 1.6
score BAYES_60 0.0001 0.0001 2.0 2.0
score BAYES_80 0.0001 0.0001 4.0 4.0
score BAYES_95 0.0001 0.0001 6.5 6.5
score BAYES_99 0.0001 0.0001 10.0 10.0
score RDNS_NONE 0.0001 0.0001 3.0 3.0 # used when there is no reject_unknown_reverse_client_hostname rule
chmod 777 -R /var/mail/store/spam\@example.com
su amavis -c 'sa-learn --spam --dir /var/mail/store/spam\@example.com/new/'
rm /var/mail/store/spam\@example.ru/new/*
I run it every 15 minutes through the crontab. In order to make sure that the training is proceeding normally, we use the sa-learn --dump magic command to pay attention to nspam and nham . In my case, I never had to manually train ham because of good values ​​for low percentages.
I do not use databases or LDAP. domain is small and manage files much faster at the moment.
This is my personal configuration which I want to share, maybe some things can be done better, I do not deny it. Also, depending on the site, you will need to do your tuning in a certain direction.
So for this we need postfix, spamassassin, amavisd-new. I use Debian, we put packages apt-get install postfix, postfix-pcre, spamassassin, amavisd-new
Configuration file /etc/postfix/main.cf
myhostname = mail.example.com
mydestination = $ myhostname
mynetworks = 127.0.0.0/8 # networks from which you can receive mail without authorization for relay.
')
smtpd_banner = $ myhostname ESMTP $ mail_name
biff = no
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/postfix/mail.pem
smtpd_tls_key_file = $ smtpd_tls_cert_file
smtpd_tls_received_header = yes # Add TLS session headers to email
smtpd_tls_auth_only = yes # Authorization only if TLS session is established
smtpd_tls_session_cache_database = btree: $ {queue_directory} / smtpd_scache
smtp_tls_session_cache_database = btree: $ {queue_directory} / smtp_scache
# appending .domain is the MUA's job.
append_dot_mydomain = no
alias_maps = hash: / etc / aliases
virtual_alias_maps = hash: / etc / postfix / virtual
proxy_interfaces = 1.1.1.1 # ip address on the WAN interface, if your server uses the internal address.
smtpd_helo_required = yes
strict_rfc_envlopes = yes
disable_vrfy_command = yes
# smtpd_delay_reject = yes - Defalt therefore all rules are applied only after the RCPT TO command.
smtpd_recipient_restrictions =
reject_non_fqdn_sender
reject_non_fqdn_recipient
reject_unlisted_recipient
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
reject_unknown_sender_domain
reject_unknown_recipient_domain
check_recipient_access hash: / etc / postfix / spam_trap # list of addresses that eat spam without restrictions.
reject_unknown_reverse_client_hostname
reject_invalid_hostname
reject_non_fqdn_hostname
check_client_access cidr: / etc / postfix / trusted_IP # blank sheet
check_helo_access pcre: / etc / postfix / helo_checks # regular expressions for catching typical HELO spam.
check_helo_access hash: / etc / postfix / helo_checks_text
check_sender_access hash: / etc / postfix / not_our_domain_as_sender # If the sender is in our domain, require authorization
check_sender_mx_access cidr: / etc / postfix / sender_mx_access # list of non routable networks
## Looking up for DNSBL
reject_rbl_client zen.spamhaus.org
permit
smtpd_data_restrictions =
reject_multi_recipient_bounce
reject_unauth_pipelining # You can use this option outside data_restriction only if smtpd_delay_reject = NO is set, for example, to delay the display of a greeting (HELO)
smtpd_etrn_restrictions = reject
smtpd_soft_error_limit = 3
header_checks = pcre: / etc / postfix / header_checks # normal checking for the presence in the Recived fields of our domain
mime_header_checks = pcre: / etc / postfix / mime_header_checks # lock attachments
# This is part of the config for authorization through dovecot and sending letters to the repository.
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private / auth
smtpd_sasl_authenticated_header = yes
dovecot_destination_recipient_limit = 1
mailbox_transport = dovecot
virtual_transport = dovecot
virtual_mailbox_domains = example.com
virtual_mailbox_maps = hash: / etc / postfix / vmailbox
/ etc / postfix / helo_checks
/^mail\.example\.com$/ Reject That's my hostname, use your own
/^1\.1\.1\.1$/ Reject That's my IP address, use your own
/^[1\.1\.1\.1[$/ Reject That's my IP address, use your own
/^[0-9. +$/ Reject Your client not RFC 2821 compilant
/( [0-9] )1 1,3 []. [] [] 0-9 [)] [] [] [] (] 0) [] {1,3} / 553 SPAM-raw-ip-in-helo
/(||[0-9.-â‚˝ )(([axvralsdsl|isadsl|as|bgp|dynamicIP|broadband|cable|[ckcklient|dhcp|dial|dialin|dialup|dialer|dip|dslb | dup | dyn | dynamic | host | ip | isdn | modem | nas | node | pool | ppp | pppo [ae] | sirius. * ukrtel. * | user | users | vpn) [0-9 .-] / i 553 SPAM_DYNAMIC-in-helo
/([0-9[*-){3}[0-9â‚˝*(\\\\\\**2 SPAM-ip-add-rr-ess_networks-in-helo
/( [0-9] SP3-ip-add-rr-ess_networks-in-helo
/smtp[-0-9[*\\.orange\.nl/i 553 SPAM-orange.nl
/smtp[-0-9[*\\.orange\.fr/i 553 SPAM-orange.fr
/\.lan$/i 533 SPAM-lan-in-helo
/ etc / postfix / sender_mx_access
127.0.0.0/8 Reject MX points to LOCALHOST
192.168.0.0/16 Reject MX points to RFC1918 unreachbale network
10.0.0.0/8 Reject MX points to RFC1918 unreachable network
172.16.0.0/12 Reject MX points to RFC1918 unreachable network
14.0.0.0/8 Reject MX points to RFC3330 special network
224.0.0.0/4 Reject MX in class D multicast network
/ etc / postfix / header_checks
if / ^ Received: /
/ ^ Received: + from + (example \ .com) + /
reject forged client name in Received: header: $ 1
/ ^ Received: + from + [^] + + \ (([^] + + [he] + lo = | [he] + lo +) (example \ .com) \) /
reject forged client name in Received: header: $ 2
/^Received:.* + by + (example \ .com) \ b /
mail server name in Received: header: $ 1
All addresses that are listed in / etc / postfix / spam_trap, are also present in / etc / postfix / virtual where they are all sent to one spam@example.com mailbox.
/etc/amavis/conf.d/50-user
$ max_servers = 8; # num of pre-forked children (2..15 is common), -m
$ mydomain = 'example.com'; # a convenient default for other settings
@local_domains_maps = ([". $ mydomain", '.example.org']);
$ sa_spam_subject_tag = 'Spam>';
$ sa_tag2_level_deflt = 6.0; # add 'spam detected' headers at that level
$ sa_kill_level_deflt = 14.0; # triggers spam evasive actions (eg blocks mail)
$ final_banned_destiny = D_REJECT;
$ final_spam_destiny = D_REJECT;
@bypass_spam_checks_maps = (
\% bypass_spam_checks, \ @bypass_spam_checks_acl, \ $ bypass_spam_checks_re);
@spam_lovers_maps = (['spam@example.org'],);
Edit /etc/spamassassin/local.cf
clear_internal_networks
internal_networks 192.168.0.0/24
bayes_auto_learn 1
bayes_path /var/lib/amavis/.spamassassin/bayes
bayes_auto_learn_threshold_nonspam -0.1
score BAYES_00 0.0001 0.0001 -6.0 -6.0
score BAYES_05 0.0001 0.0001 -3.0 -3.0
score BAYES_20 0.0001 0.0001 -1.0 -1.0
score BAYES_50 0.0001 0.0001 1.6 1.6
score BAYES_60 0.0001 0.0001 2.0 2.0
score BAYES_80 0.0001 0.0001 4.0 4.0
score BAYES_95 0.0001 0.0001 6.5 6.5
score BAYES_99 0.0001 0.0001 10.0 10.0
score RDNS_NONE 0.0001 0.0001 3.0 3.0 # used when there is no reject_unknown_reverse_client_hostname rule
The simplest script that will perform training bayes filter
chmod 777 -R /var/mail/store/spam\@example.com
su amavis -c 'sa-learn --spam --dir /var/mail/store/spam\@example.com/new/'
rm /var/mail/store/spam\@example.ru/new/*
I run it every 15 minutes through the crontab. In order to make sure that the training is proceeding normally, we use the sa-learn --dump magic command to pay attention to nspam and nham . In my case, I never had to manually train ham because of good values ​​for low percentages.
I do not use databases or LDAP. domain is small and manage files much faster at the moment.
Source: https://habr.com/ru/post/45441/
All Articles