Posts tagged dnswl

More robust Postfix anti-spam configuration

0

My last post included an updated Postfix main.cf that was better at blocking spam and minimizing false positives through the use of DNS white lists (DNSWLs), but after a few days it was still letting in more spam than I wanted. I did additional tweaking and the following seems to work better, while still preventing false positives.

The main changes included specifying the following additional Postfix restrictions:

  • smtpd_sender_restrictions
  • smtpd_helo_restrictions
  • smtpd_data_restrictions
smtpd_helo_restrictions =
	reject_unknown_helo_hostname

smtpd_data_restrictions =
	reject_unauth_pipelining

smtpd_client_restrictions =
	permit_dnswl_client list.dnswl.org,
	reject_rbl_client b.barracudacentral.org,
	reject_rbl_client hostkarma.junkemailfilter.com=127.0.0.2,

smtpd_sender_restrictions =
	reject_unknown_sender_domain,
	reject_unknown_address,
	reject_rhsbl_sender dsn.rfc-ignorant.org,
	reject_rhsbl_reverse_client dbl.spamhaus.org,
	reject_rbl_client b.barracudacentral.org,

smtpd_recipient_restrictions =
	permit_mynetworks,
	reject_invalid_hostname,
	reject_non_fqdn_sender,
	reject_non_fqdn_recipient,
	reject_unknown_sender_domain,
	reject_unknown_recipient_domain,
	reject_unauth_destination,
	permit_dnswl_client list.dnswl.org,

	reject_rhsbl_reverse_client dbl.spamhaus.org,
	reject_rhsbl_sender dbl.spamhaus.org,
	reject_rhsbl_client dbl.spamhaus.org,
	reject_rhsbl_sender fresh15.spameatingmonkey.net,
	reject_rhsbl_client fresh15.spameatingmonkey.net,
	reject_rhsbl_sender uribl.spameatingmonkey.net,
	reject_rhsbl_client uribl.spameatingmonkey.net,
	reject_rhsbl_sender urired.spameatingmonkey.net,
	reject_rhsbl_client urired.spameatingmonkey.net,
	reject_rhsbl_client hostkarma.junkemailfilter.com=127.0.0.2,

	reject_rbl_client b.barracudacentral.org,
	reject_rbl_client zen.spamhaus.org,
	reject_rbl_client bl.spameatingmonkey.net,
	reject_rbl_client bl.spamcop.net,
	reject_rbl_client hostkarma.junkemailfilter.com=127.0.0.2,
	reject_rbl_client dnsbl.njabl.org,
	reject_rbl_client bl.tiopan.com,
	reject_rbl_client spamsources.fabel.dk,
	reject_rbl_client truncate.gbudb.net,
	reject_rbl_client ubl.unsubscore.com,
	reject_rbl_client aspews.ext.sorbs.net,
	reject_rbl_client dnsbl.sorbs.net,
	reject_rbl_client backscatter.spameatingmonkey.net,
	reject_rbl_client bl.spameatingmonkey.net,

	permit

12/1/2012 update: I removed reject_rhsbl_sender dsn.rfc-ignorant.org since it is no longer up as of 11/30/2012

Using DNS whitelists in Postfix

4

Update 7/21/2011: I’ve tweaked my main.cf config more recently that provided better results. I will have a follow-up post with the changes and additions.

In an earlier post several years back, I wrote about using DNS blacklists (DNSBLs) in postfix to block unwanted spam from hitting my inbox, and in the last week I tweaked it a bit to include DNS whitelists (DNSWLs). I was discovering that some of the DNSBLs were blocking a small portion of legitimate email from coming through (eg. blocking entire IP ranges for webmail providers).

You need Postfix 2.8 or higher (I was on 2.3.3 so I had to download and compile the latest, 2.8.3), which has a new configuration parameter which added support for querying a DNSWL like a DNSBL:

permit_dnswl_client dnswl_domain=d.d.d.d

The relevant portion of my updated Postfix main.cf is below (note permit_dnswl_client is inserted before any of the reject_rbl* parameters). The DNSWL queries are processed first before the DNSBLs, so it should allow legitimate IPs through and reduce the amount of false positives vs just using the DNSBLs alone.

smtpd_recipient_restrictions =
        permit_mynetworks,
        reject_invalid_hostname,
        reject_non_fqdn_sender,
        reject_non_fqdn_recipient,
        reject_unknown_sender_domain,
        reject_unknown_recipient_domain,
        reject_unauth_destination,
        permit_dnswl_client list.dnswl.org,
        reject_rbl_client b.barracudacentral.org,
        reject_rbl_client zen.spamhaus.org,
        reject_rbl_client bl.spameatingmonkey.net,
        reject_rbl_client bl.spamcop.net,
        reject_rbl_client hostkarma.junkemailfilter.com=127.0.0.2,
        reject_rbl_client dnsbl.njabl.org,
        reject_rbl_client bl.tiopan.com,
        reject_rbl_client spamsources.fabel.dk,
        reject_rbl_client truncate.gbudb.net,
        reject_rbl_client ubl.unsubscore.com,
        reject_rbl_client aspews.ext.sorbs.net,
        reject_rbl_client dnsbl.sorbs.net,
        reject_rbl_client backscatter.spameatingmonkey.net,
        reject_rbl_client bl.spameatingmonkey.net,
        reject_rhsbl_sender fresh15.spameatingmonkey.net,
        reject_rhsbl_client fresh15.spameatingmonkey.net,
        reject_rhsbl_sender uribl.spameatingmonkey.net,
        reject_rhsbl_client uribl.spameatingmonkey.net,
        reject_rhsbl_sender urired.spameatingmonkey.net,
        reject_rhsbl_client urired.spameatingmonkey.net,
        reject_rbl_client dnsbl.inps.de,
        reject_rbl_client DDNSBL.InternetDefenseSystems.com,
        permit

After watching the logs for the last couple days, this setup seems to work quite well…only 1 piece of spam slipped through, and more importantly, no false positives! I should also note that I stopped using spamassassin a while back and just these settings in postfix seems to block almost all legitimate spam coming into my server while not generating false positives.

BTW, if you want to tail your maillog from the command line in realtime and see the rejects in a more readable format, this short one liner will work:

$ tail -f /var/log/mail.log | sed -r -n 's/^(.*) \S+ postfix\/.* blocked using ([^;]+).*; from=<(\S+)> to=<(\S+)> proto=.* helo=.*>$/\1 - \2 - \3 - \4/p'

it will output in the format TIMESTAMP – DNSBL – FROM ADDRESS – TO ADDRESS

Go to Top