Protecting mail server users from spammers - a few steps to help you send spammers away

Hello, Habrovchane!

I want to contribute to the overall history of the fight against spammers.
You all know very well (felt) how disgusting it is when your mailbox is littered with a bunch of letters containing trash, but simply spam . I'm not talking about free services, I'm talking about corporate email.
')
Probably many were faced with the fact that your employees of IT departments could not cope with this task or coped, but at the same time the mail stopped coming to you at all.

I can say one thing - “When setting up protection of your server from spam, be a hundred times more careful than with a baby!” - otherwise you will get very interesting results ... :)

I tell you about the important settings of the mail server to significantly reduce the number of incoming spam. Why am I talking about “decreasing”?
The answer is obvious - it is impossible to protect the mail server for 100% of spam due to the vigilant spammers - every day they try to come up with all the new ways to bypass our protection.

I will consider these recommendations based on a Linux server with postfix installed.
In this case, what kind of Linux distribution you have is not important.

Every self-respecting IT person who configured the mail server knows about the forward and reverse zone.
I still sometimes encounter mail servers that are not registered in these zones. In almost 99% of cases, such servers will be considered spam. Why?
Because the most common way to send spam is to send from non-existing servers and, therefore, not registered in the DNS. In order for your server not to be considered spam, you need to do two things:
1. Register the ip-address of your mail server in the direct DNS zone. You can service the direct zone yourself, your hosting provider or Internet service provider.
2. In the reverse DNS zone, you must also register your mail server. In this case, you should ask for your Internet service provider to make such a record (a written request is sufficient).

If you have these two conditions are met, then in 99% of cases your mail server will not be considered spam.
Sometimes this is not the case - if your server IP address accidentally or intentionally got into the black list of spam lists, you will have to deal with it on your own ...

Now let's talk about our protection.
Posfix has a configuration configuration file in which we will register our additional spam checks. The file is called main.cf. These settings will be added to existing blocks.

Let's start:
1. This parameter causes the server to receive mail only from the "horny" servers. Many spammers do not like to send the string "helo"
smtpd_helo_required = yes

2. This section discusses the rules for receiving mail by our server.
smtpd_recipient_restrictions =

The parameter allows authentication by login-password (if SSL is not configured for you - remove this parameter, otherwise the logins and passwords of your users will go in "open form")
permit_sasl_authenticated,

The parameter specifying postfix to receive mail from certain ip addresses (as I said before - there are servers that are not registered in the forward / reverse zones and they do not want to be registered or there is no one). Do not forget to add the command " #postmap / etc / postfix / access " after adding the ip-addresses, otherwise postfix will not process the file
check_client_access hash: / etc / postfix / access,

Sometimes there are users who want to receive spam ... :)
This rule indicates the file containing the addresses of mailboxes to which we will receive mail anyway. Do not forget about postmap.
check_recipient_access hash: / etc / postfix / recipient_access,

If the name of the server of the sending party is not correct - say “goodbye!”
reject_invalid_hostname,

If the name of the server of the sending side does not match the FQDN , then we will fire off such
reject_non_fqdn_hostname,

If the sender's name does not match the FQDN - we shoot
reject_non_fqdn_sender,

If the recipient's name does not match the FQDN - we shoot off
reject_non_fqdn_recipient,

We check the domain for type A and MX records in DNS - if not, then we shoot off
reject_unknown_sender_domain,

The postfix documentation says "blocking mail from non-existing domains"
reject_unknown_recipient_domain,

We allow to receive letters from the addresses that are listed in the mynetworks parameter (in this parameter you specify the addresses of your users, mail servers)
permit_mynetworks

Protection against sending smtp commands until it is ascertained whether postfix supports such commands
reject_unauth_pipelining,

This rule shoots letters until one of the two conditions is met here . It is rather difficult to translate these conditions in a nutshell.
reject_unauth_destination,

Below are the rules for checking hosts (mailers who send us mail) to keep them in the blacklists. This list has been working for me for about a year, periodically cleaning up the dead or adding a new one.
reject_rbl_client zombie.dnsbl.sorbs.net,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net,
reject_rbl_client multihop.dsbl.org,
reject_rbl_client work.rsbs.express.ru,
reject_rbl_client dnsbl.sorbs.net,

And for a snack do check with PostGrey .
Let us dwell on this rule in more detail. This utility is a service for checking mail servers through gray lists, which itself leads.
The principle of operation is the following - the mailer is knocking us on a visit, postgrey looks at his list and does not find a knocking server there. Then he puts this server in the gray list, and the knocking server says that "the service is not available yet, you are in the gray list, try again later."

Next, the following happens:
- if the mailer is good, then he will re-send the letter (in this case, postgrey will miss it, and after 5 letters received from this server, write to the white list).
- if the spammer, he, in 99.9% will not re-break and send a letter (in this case, the spam will not come, and the link will be killed)
- if the spammer is persistent, then postgrey will blacklist it, since postgrey uses a delay of 5 minutes. If during this time the knocking will break down to visit us, then he will be sent away and recorded in the black list.

You can ask the question: “Is it normal that letters can be delayed?”
Answer: “Normally, as posgrey works on the basis of RFC. If the server is clean, then on the second attempt the letter will come, and after the 5th letter it will turn into a white sheet. ”
It is also possible to add clearly clean mailers - just write them in the file.

Installation (I have Fedora 9) is simple - #yum install postgrey

Setting up is even easier:
postgrey_whitelist_clients - a file with mailers , from which we always accept mail
postgrey_whitelist_recipients - file with recipients, for which we always accept mail

In the postgrey_whitelist_clients file, it is desirable to kill all the records, they are generated by the developer and, frankly, we do not need them. Add only those mailers you trust.

I initially added these:
mail.ru
yandex.ru
rambler.ru
gmail.com
beeline.ru
post.ru
pochta.ru
hotmail.com
hotmail.ru
yahoo.com
hotbox.ru
masterhost.ru
nic.ru
list.ru
bk.ru
inbox.ru
job.ru

It remains only to run postgrey as a service:
# chkconfig postgrey on
# service postgrey start

Further, if users have problems, you can add to this file and other servers.
check_policy_service unix: postgrey / socket,

If the mail server has passed all the checks - then you are welcome!
permit

3. This block is for checking the SMTP DATA section of commands. Normally standard block if you want
learn about the rules in this block, then you here
smtpd_data_restrictions =
reject_unauth_pipelining,
reject_multi_recipient_bounce,
permit

4. This unit (as you guessed it) for checking outgoing mail or mail sent through us.
I will not dwell on the already described rules - I will describe unfamiliar people.
smtpd_sender_restrictions =
permit_sasl_authenticated,
permit_mynetworks
check_client_access hash: / etc / postfix / access,
check_recipient_access hash: / etc / postfix / recipient_access,
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,

The rule for checking the compliance of ip and client name
reject_unknown_client_hostname,

reject_unknown_sender_domain,
reject_unknown_hostname,
reject_rbl_client zombie.dnsbl.sorbs.net,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net,
reject_rbl_client multihop.dsbl.org,
reject_rbl_client work.rsbs.express.ru,
reject_rbl_client dnsbl.sorbs.net,
reject_rhsbl_sender dsn.rfc-ignorant.org
permit

Here, as you can see there is no verification using Postgrey - it is not needed. Otherwise, you will not be able to send mail.

This configuration has helped me and still helps:
After installing the mail server, the total number of attempts to send an email to my domain is 150.000 per day, every week this number decreases due to the development of the rules (my server is slowly forgotten by spammers). To date, this number is about 15.000 per day. I am pleased with the result.

I hope that this article will help many people to avoid obsessive people with advertising!

Good luck!

PS And do not forget to reload postfix or re-read its config after all the manipulations.
PPS Do not hit hard - after all the first post