Protecting mail server users from spammers are a few steps that will help you send spammers away

Hello, Khabrovsk citizens!

I want to contribute to the overall history of the fight against spammers.
All of you perfectly know (felt) how disgusting it is when your mailbox is littered with a bunch of letters containing all kinds of junk, and in a simple spam . I'm not talking about free services, I'm talking about corporate mail.

Probably many have come across the fact that your IT department employees could not cope with this task or did it, but at the same time the mail stopped coming to you at all.

I can say one thing - "When setting up the protection of your server from spam, be a hundred times more careful than with a baby!" - otherwise you will get very interesting results ... :)

I’ll tell you about the important settings of the mail server to significantly reduce the amount of incoming spam. Why am I talking about "reduction"?
The answer is obvious - it is impossible to protect the mail server 100% from spam due to non-stop spammers - every day they try to come up with new ways to bypass our defenses.

I will consider these recommendations based on a Linux server with postfix installed.
In this case, which Linux distribution you have is not important.

Every self-respecting IT person who set up the mail server knows about the forward and reverse zones.
I still sometimes encounter mail servers that are not registered in these zones. In almost 99% of cases, such servers will be considered spammer. Why?
Because the most common way to send spam is to send from non-existing servers and, therefore, not registered in DNS. To prevent your server from being considered spammer, you need to do two things:
1. In the direct DNS zone, specify the IP address of your mail server. You can serve the direct zone yourself, your hosting provider or Internet service provider.
2. In the reverse DNS zone, you must also register your mail server. In this case, you must ask for such an entry from your Internet service provider (a written request is sufficient).

If you have these two conditions met, then in 99% of cases your mail server will not be considered spam.
Sometimes this is not so - if your server IP address accidentally or intentionally fell into the black list of spam lists, you will have to deal with it on your own ...

Now let's talk about our protection.
Posfix has a configuration settings file, in which we will write our additional spam checks. The file is called main.cf. We will add these settings to existing blocks.

Let's start:
1. This parameter forces the server to accept mail only from "greeting" servers. Many spammers do not like to forward the string “helo”
smtpd_helo_required = yes

2. This section discusses the rules for receiving mail with our server
smtpd_recipient_restrictions =

The parameter that allows authentication by login-password (if SSL is not configured for you - remove this parameter, otherwise the usernames and passwords of your users will go in “clear”)
permit_sasl_authenticated,

The parameter tells postfix to receive mail from specific ip addresses (as I said before - there are servers that are not registered in the forward / reverse zones and do not want to register them or no one). Do not forget to add the command " #postmap / etc / postfix / access " after adding ip-addresses , otherwise postfix will not process the
check_client_access hash file : / etc / postfix / access,

Sometimes there are users who want to receive spam ... :)
This rule points to a file that contains the addresses of mailboxes to which we will receive mail in any way. Do not forget about postmap.
check_recipient_access hash: / etc / postfix / recipient_access,

If the server name of the sending side is not correct - say "goodbye!"
reject_invalid_hostname,

if the server name of the sending party does not match the FQDN - shoot such
reject_non_fqdn_hostname,

if the sender name does not match the FQDN - shoot
reject_non_fqdn_sender,

if the recipient name does not match the FQDN - we shoot
reject_non_fqdn_recipient

if there is no DNS, then check the domain , then check if there is no MX domain , then check we shoot
reject_unknown_sender_domain,

In the postfix documentation it says “blocks mail from non-existent domains”
reject_unknown_recipient_domain,

we Allow you to receive letters from the addresses listed in the mynetworks parameter (specify the addresses of your users, mail servers in this parameter)
permit_mynetworks,

Protection from sending smtp commands until clarification, whether such commands support postfix
reject_unauth_pipelining.

This rule shoots letters until one of the two conditions is fulfilled, see here . It is difficult enough in a nutshell to translate these conditions.
reject_unauth_destination,

The following are the rules for checking hosts (mailers who send us mail) for their contents in black lists. This list has been working for me for about a year now, periodically removing the dead or adding a new
reject_rbl_client zombie.dnsbl.sorbs.net,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net,
reject_rbl_client multihop.dsbl.org ,
reject_rbl_client work.rsbs.express.ru,
reject_rbl_client dnsbl.sorbs.net,

And for a snack we do a check using PostGrey .
Let us dwell on this rule in more detail. This utility is a service for checking mail servers through gray lists that it maintains.
The principle of operation is as follows - the mailer is knocking to visit us, postgrey looks at his list and does not find a knocking server there. Then he puts this server in the gray list, and tells the banging server that "the service is not yet available, you are in the gray list, try again later."

Then the following happens:
- if the mailer is good, then it will resend the letter (in this case, postgrey will skip it, and after 5 letters received from this server, it will be whitelisted).
- if a spammer, then he, in 99.9%, will not re-break and send a letter (in this case, spam will not come, and the link will be killed)
- if the spammer is persistent, then postgrey will blacklist it, as postgrey uses a delay of 5 minutes. If during this time the knocking person rushes to visit us, they will send him away and put him on the black list.

You can ask a question: “Is it normal that letters can go with a delay?”
Answer: “Fine, since posgrey is based on RFC. If the server is clean, then on the second attempt the letter will come, and after the 5th letter it will go to the white sheet. ”
It is also possible to add explicitly clean mailers - just register them in a file.

Installation (I have Fedora 9) is simple - #yum install postgrey The

configuration is even simpler:
postgrey_whitelist_clients - a file indicating the mailers from whom we always receive mail
postgrey_whitelist_recipients - file indicating recipients for whom we always accept mail

In the postgrey_whitelist_clients file, it is desirable to kill all the records, they are generated by the developer and, frankly, we do not need them. Add only those mailers you trust.

At the initial stage, I added these:
mail.ru
yandex.ru
rambler.ru
gmail.com
beeline.ru
post.ru
pochta.ru
hotmail.com
hotmail.ru
yahoo.com
hotbox.ru
masterhost.ru
nic.ru
list.ru
bk.ru
inbox.ru
job.ru

It remains only to run postgrey as a service:
# chkconfig postgrey on
# service postgrey start

next, if users have problems, you can add other servers to this file.
check_policy_service unix: postgrey / socket,

If the mail server has passed all the checks, then you are welcome!
permit

3. This block is for checking the SMTP DATA section of commands. Typically, a building block, if you want
to know about the rules in this block, you here
smtpd_data_restrictions =
reject_unauth_pipelining,
reject_multi_recipient_bounce,
the permit

4. This block is (you guessed it) to check for outgoing mail, or sent over email us.
I will not dwell on the rules already described - I will describe the unfamiliar.
= smtpd_sender_restrictions
permit_sasl_authenticated,
permit_mynetworks,
check_client_access hash: / etc / postfix / access,
check_recipient_access hash: / etc / postfix / recipient_access,
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,

rule compliance checking ip and the name of the client
reject_unknown_client_hostname,

reject_unknown_sender_domain,
reject_unknown_hostname,
reject_rbl_client zombie.dnsbl. sorbs.net,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net,
reject_rbl_client multihop.dsbl.org,
reject_rbl_client work.rsbs.express.ru,
reject_rbl_client dnsbl.sorbs.net,
reject_rhsbl_sender dsn.rfc-ignorant.org
permit

Here, as you can see, there is no check using Postgrey - it is not needed. Otherwise, you will not be able to send mail.

This configuration has helped and still helps me:
After installing the mail server, the total number of attempts to send an email to my domain is 150,000 per day, this number decreases every week due to the development of the rules (my server is slowly forgotten by spammers). To date, this number is already about 15,000 per day. I am pleased with the result.

I hope that this article will help many people to avoid intrusive people with advertising!

Good luck

PS And do not forget to reload postfix or re-read its config after all the manipulations.
PPS Do not hit hard - still the first post