7 Effective Tips for Blocking Email Spam with Postfix

SMTP Server
linuxbabe.com/mail-server/block-email-spam-postfix

September 24, 2018

Last Updated: June 5, 2020 Xiao Guoan (Admin)

63 Comments
Mail Server
In this tutorial, I’d like to share with you my 7 tips for blocking email spam with Postfix
SMTP server. Over the last four years of running my own email server, I received lots of
spam, aka unsolicited commercial email, most of which came from China and Russia.
Spam exists because it’s so cheap to send a large volume of emails on the Internet.
Postfix allows you to block spam before they get into your mailbox, so you can save
bandwidth and disk space. This post is the result of my experience in fighting spam.

Note: If you plan to run your own mail server, I recommend using iRedmail, which
really simplifies the process of setting up a mail server. It also ships with anti-spam
rules. If you prefer to set up a mail server from scratch, then check out my mail server
tutorial series.

Characteristics of Spam
Below is what I found about email spam. These spam are easy to block.

1. Their IP addresses don’t have PTR records.

2. The spammer doesn’t provide valid hostname in HELO/EHLO clause.
3. They spoof MAIL FROM address.
4. They generally don’t re-send email after a failed email delivery.

Legitimate email servers should never have these characteristics. So here comes my 7
tips, which will block 90% of spam.

Fact: Around 93%~95% of emails in the world are rejected at the SMTP gateway, never
landed in the inbox or spam folder.

Tip #1: Reject Email if SMTP Client Has no PTR record

PTR record maps an IP address to a domain name. It’s the counterpart to A record. On
Linux, you can query the domain name associated with an IP address by executing the
following command:

host <IP address>

For example, the following command returns the hostname of Google’s mail server.

1/46
host 209.85.217.172

Output:

172.217.85.209.in-addr.arpa domain name pointer mail-ua0-f172.google.com.

Due to the prevalence of spam, many mail servers (such as gmx.com, gmx.net,
facebook.com) require that SMTP clients have valid PTR records associated with their
IP addresses. Every mail server admin should set PTR record for their SMTP servers. If
the SMTP client has a PTR record, you can find a line in Postfix log like below.

connect from mail-ua0-f172.google.com[209.85.217.172]

If the SMTP client doesn’t have a PTR record, then the hostname will be identified as
unknown .

connect from unknown[120.41.196.220]

To filter out emails with no PTR records, open Postfix main configuration file.

sudo nano /etc/postfix/main.cf

Add the following line in smtpd_sender_restrictions . This directive rejects an email if

the client IP address has no PTR record.

reject_unknown_reverse_client_hostname

Example:

smtpd_sender_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unknown_reverse_client_hostname

Save and close the file. Then restart Postfix for the change to take effect.

sudo systemctl restart postfix

Tip #2: Enable HELO/EHLO Hostname Restrictions in Postfix

Some spammers don’t provide a valid HELO/EHLO hostname in the SMTP dialog. They
can be non-fully qualified domain name, or a domain name doesn’t exist or only for an
internal network. For example, a spammer using an Amazon EC2 instance to send spam
is logged on my server as follows:

Aug 16 04:21:13 email postfix/smtpd[7070]: connect from ec2-54-237-201-103.compute-

1.amazonaws.com[54.237.201.103]
Aug 16 04:21:13 email policyd-spf[7074]: prepend Received-SPF: None (mailfrom)
identity=mailfrom; client-ip=54.237.201.103; helo=ip-172-30-0-149.ec2.internal; envelope-
[email protected]; receiver=<UNKNOWN>

2/46
As you can see, the HELO hostname is ip-172-30-0-149.ec2.internal , which is only
valid in AWS internal network. It has no valid A record nor MX record.

To enable HELO/EHLO hostname restriction, edit Postfix main configuration file.

sudo nano /etc/postfix/main.cf

First, add the following line to require the client to provide a HELO/EHLO hostname.

smtpd_helo_required = yes

Then add the following 3 lines to enable smtpd_helo_restrictions .

smtpd_helo_restrictions =
permit_mynetworks
permit_sasl_authenticated

Use the following line to reject clients who provide malformed HELO/EHLO hostname.

reject_invalid_helo_hostname

Use the following line to reject non-fully qualified HELO/EHLO hostname.

reject_non_fqdn_helo_hostname

To reject email when the HELO/EHLO hostname has neither DNS A record nor MX
record, use

reject_unknown_helo_hostname

Like this:

smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname
reject_unknown_helo_hostname

Save and close the file. Then reload Postfix.

sudo systemctl reload postfix

Note that although most legitimate mail servers have valid A record for the
HELO/EHLO hostname, occasionally a legitimate mail server doesn’t meet this
requirement. You need to whitelist them with check_helo_access .

3/46
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks
permit_sasl_authenticated
check_helo_access hash:/etc/postfix/helo_access
reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname
reject_unknown_helo_hostname

Then you need to create the /etc/postfix/helo_access file.

sudo nano /etc/postfix/helo_access

Whitelist legitimate mail server’s HELO/EHLO hostname like below.

optimus-webapi-prod-2.localdomain OK
va-massmail-02.rakutenmarketing.com OK

It’s likely that you don’t know which hostnames to whitelist, then simply copy the above
two lines, which is the only lines in my helo_access file. You can always add more
hostnames later. Save and close the file. Then run the following command to create the
/etc/postfix/helo_access.db file.

sudo postmap /etc/postfix/helo_access

And reload Postfix.

sudo systemctl reload postfix

Tip #3: Reject Email if SMTP Client Hostname doesn’t have valid
A Record
A legitimate email server should also have a valid A record for its hostname. The IP
address returned from A record should match the IP address of email server. To filter
out emails from hosts that don’t have valid A record, edit Postfix main configuration file.

sudo nano /etc/postfix/main.cf

Add the following two lines in smtpd_sender_restrictions .

reject_unknown_reverse_client_hostname
reject_unknown_client_hostname

Example:

smtpd_sender_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unknown_reverse_client_hostname
reject_unknown_client_hostname

Save and close the file. Then restart Postfix for the change to take effect.
4/46
sudo systemctl restart postfix

Note that reject_unknown_client_hostname does not require HELO from SMTP client.
It will fetch the hostname from PTR record, then check the A record.

Tip #4: Reject Email If MAIL FROM Domain Has Neither MX

Record Nor A Record
The MAIL FROM address is also known as envelope from address. Some spammers
use a non-existent domain in the MAIL FROM address. If a domain name has no MX
record, Postfix will find the A record of the main domain and send email to that host. If
the sender domain has neither MX record nor A record, Postfix can’t send email to that
domain. So why not reject emails that you can’t reply to?

To filter out this kind of spam, edit Postfix main configuration file.

sudo nano /etc/postfix/main.cf

Add the following line in smtpd_sender_restrictions . It will reject email if the domain
name of the address supplied with the MAIL FROM command has neither MX record
nor A record.

reject_unknown_sender_domain

Example:

smtpd_sender_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unknown_sender_domain
reject_unknown_reverse_client_hostname
reject_unknown_client_hostname

Save and close the file. Then restart Postfix for the change to take effect.

sudo systemctl restart postfix

Note that I placed this restriction above other reject restrictions. From my experience,
if it is below other reject restrictions, it won’t work. (Maybe this only happens on my
email server.)

Tip #5: Enable Greylisting in Postfix

As required by the SMTP protocol, any legitimate SMTP client must be able to re-send
email if delivery fails. (By default, Postfix is configured to resend failed emails many
times before it informs the sender that the message could not be delivered.) Many
spammers usually just send once and would not retry.

5/46
Postgrey is a greylisting policy server for Postfix. Debian and Ubuntu users can install
postgrey from the default repository.

sudo apt install postgrey

CentOS/RHEL users can install it from EPEL repository.

sudo dnf install epel-release

sudo dnf install postgrey

Once it’s installed, start it with systemctl.

sudo systemctl start postgrey

Enable auto-start at boot time.

sudo systemctl enable postgrey

On Debian and Ubuntu, it listens on TCP port 10023 on localhost (both IPv4 and IPv6).

sudo netstat -lnpt | grep postgrey

On CentOS/RHEL, Postgrey listens on a Unix socket

( /var/spool/postfix/postgrey/socket ).

Next, we need to edit Postfix main configuration file to make it use the greylisting policy
server.

sudo nano /etc/postfix/main.cf

Add the following line in smtpd_recipient_restrictions if you are using Debian or

Ubuntu.

check_policy_service inet:127.0.0.1:10023

If you use CentOS/RHEL, you need to add the following line instead.

check_policy_service unix:/var/spool/postfix/postgrey/socket

In case you don’t know, the directive check_policy_service unix:private/policyd-spf in

the above screenshot will make Postfix check SPF record on the sender’s domain. This
6/46
directive requires you to install and configure the postfix-policyd-spf-python package.

Save and close the file. Then restart Postfix.

sudo systemctl restart postfix

From now on, Postgrey will reject an email if the sender triplet (sender IP address,
sender email address, recipient email address) is new. The following log message in
/var/log/mail.log shows a new sender triplet. The action “ greylist ” means this email
message was rejected.

postgrey[1016]: action=greylist, reason=new, client_name=unknown,

client_address=117.90.24.148/32, [email protected],
[email protected]

From my experience, Chinese email spammers like to use a fake, weird-looking and
randomly generated sender address for every email, so adding these fake email
addresses to blacklist won’t stop them. On the other hand, they never try re-sending a
rejected email with the same sender address, which means greylisting can be very
effective at stopping this kind of spam.

Fixing Error on Debian & Ubuntu

If you see the following error in mail log ( /var/log/mail.log )

warning: connect to 127.0.0.1:10023: Connection refused

warning: problem talking to server 127.0.0.1:10023: Connection refused

The problem is that postgrey is not running. You need to specify 127.0.0.1 as the
listening address in /etc/default/postgrey file. So change the following line

POSTGREY_OPTS="--inet=10023"

to

POSTGREY_OPTS="--inet=127.0.0.1:10023"

Then restart postgrey.

sudo systemctl restart postgrey

Check if it’s listening:

sudo netstat -lnpt | grep 10023

How to Minimize Bad User Experience

Greylisting can result in bad experience for the end user, as the user has to wait another
several minute for the email to arrive. To minimize this bad experience, you can create a
whitelist, and use a second MX record that points to the same host.

7/46
Whitelist
Postgrey ships with two whitelist files ( /etc/postgrey/whitelist_clients and
/etc/postgrey/whitelist_recipients ). The former contains a list of hostnames and the
latter contains a list of recipient addresses.

By default, Google’s mail servers are whitelisted. No matter the sender is using a
@gmail.com address or other address, as long as the sender is using Google’s mail
server, Postgrey won’t reject the email. The following line in my /var/log/mail.log file
shows this.

postgrey[1032]: action=pass, reason=client whitelist, client_name=mail-yb0-f190.google.com

Note: You can also see postgrey logs with this command sudo journalctl -u postgrey .

You can add other hostnames in /etc/postgrey/whitelist_clients file, like

You can get these hostnames with a tool called pflogsumm , which I will discuss later in
this article. Save and close the file, the restart Postgrey.

sudo systemctl restart postgrey

Create Another MX Hostname with the Same IP Address

You can specify more than one MX record for your domain name like below.

Record Type Name Mail Server Priority

MX @ mail.yourdomain.com 0
MX @ mail2.yourdomain.com 5

The sender will try the first mail server (with priority 0). If mail.yourdomain.com rejects
email by greylisting, then the sender would immediately try the second mail server (with
priority 5).

If the two mail server hostnames have the same IP address, then when the sender tries
the second mail server hostname, the email will be accepted immediately (if all other
checks pass) and end users will not notice email delay caused by greylisting.

Note that this requires you to set a very small delay time like 1 second in
/etc/default/postgrey (Debian & Ubuntu) or /etc/sysconfig/postgrey
(CentOS/RHEL). The delay time tells the SMTP client how many seconds to wait before
sending again. If the delay time is not small enough, then the second email delivery
would still be rejected.

Debian/Ubuntu

POSTGREY_OPTS="--inet=127.0.0.1:10023 --delay=1"

CentOS/RHEL
8/46
OSTGREY_DELAY="--delay=1"

Restart Postgrey.

sudo systemctl restart postgrey

Also beware that not all mail servers would immediately try the second MX host.

Tip #6: Using Public Realtime Blacklists

There are spam emails that are sent from servers that has a valid hostname, valid PTR
record and can pass through grey listing. In this case, you can use blacklisting to reject
spam. There are many public realtime blacklists (RBL), also known as DNSBLs (DNS
based lists). By realtime it means that the list is always changing. An IP address or
domain name could be on the list today and off the list tomorrow, so you could get
different result depending on when you query the list.

You can use multiple blacklists to block spam. Go to https://www.debouncer.com and

mxtoolbox.com , enter the spammer’s domain and IP address to see which blacklists are
blocking them, then you can use those blacklists. For example, I found that spammers
are blacklisted by one of the following blacklists:

dbl.spamhaus.org
zen.spamhaus.org
multi.uribl.com
ivmURI
InvaluementURI

So I can add the following configurations in /etc/postfix/main.cf file. Some public

blacklisting service requires monthly fee. For now, I’m using the free service of
spamhaus.org.

smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
check_policy_service unix:private/policyd-spf,
check_policy_service inet:127.0.0.1:10023,
reject_rhsbl_helo dbl.spamhaus.org,
reject_rhsbl_reverse_client dbl.spamhaus.org,
reject_rhsbl_sender dbl.spamhaus.org,
reject_rbl_client zen.spamhaus.org

Where:

rhs stands for right hand side, i.e, the domain name.
reject_rhsbl_helo makes Postfix reject email when the client HELO or EHLO
hostname is blacklisted.

9/46
 reject_rhsbl_reverse_client : reject the email when the unverified reverse client
hostname is blacklisted. Postfix will fetch the client hostname from PTR record. If
the hostname is blacklisted, reject the email.
reject_rhsbl_sender makes Postfix reject email when the MAIL FROM domain is
blacklisted.
reject_rbl_client : This is an IP-based blacklist. When the client IP address is
backlisted, reject the email.

Some spammers use Google’s mail server, so reject_rhsbl_helo is ineffective, but most
of them use their own domain names in the MAIL FROM header, so
reject_rhsbl_sender will be effective.

Create A Whitelist
Sometimes there are legitimate email servers blacklisted. You can create a whitelist so
they won’t be blocked. Create the following file.

sudo nano /etc/postfix/rbl_override

In this file, whitelist domain names like below.

dripemail2.com OK //This domain belongs to drip.com

mlsend.com OK //This domain belongs to mailerlite email marketing service

Save and close the file. Then run the following command to create the rbl_override.db
file.

sudo postmap /etc/postfix/rbl_override

Edit Postfix main configuration file.

sudo nano /etc/postfix/main.cf

In smtpd_recipient_restrictions , add the following line.

check_client_access hash:/etc/postfix/rbl_override,

Like below. It should be place above other RBL checks.

smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
check_policy_service unix:private/policyd-spf,
check_policy_service inet:127.0.0.1:10023,
check_client_access hash:/etc/postfix/rbl_override,
reject_rhsbl_helo dbl.spamhaus.org,
reject_rhsbl_reverse_client dbl.spamhaus.org,
reject_rhsbl_sender dbl.spamhaus.org,
reject_rbl_client zen.spamhaus.org

Reload Postfix for the changes to take effect.

10/46
sudo systemctl reload postfix

Using Public Whitelist to Reduce False Positive

Maintaining a private whitelist is necessary sometimes, but you can also use public
whitelists, the most famous of which is dnswl.org. Currently, there is only a whitelist for
IP address. Domain name whitelist is in beta. To use it, put the following line in
smtpd_recipient_restrictions .

permit_dnswl_client list.dnswl.org=127.0.[0..255].[1..3],

Like below. It should be placed above the reject_rbl_client check.

smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
check_policy_service unix:private/policyd-spf,
check_policy_service inet:127.0.0.1:10023,
check_client_access hash:/etc/postfix/rbl_override,
reject_rhsbl_helo dbl.spamhaus.org,
reject_rhsbl_reverse_client dbl.spamhaus.org,
reject_rhsbl_sender dbl.spamhaus.org,
permit_dnswl_client list.dnswl.org=127.0.[0..255].[1..3],
reject_rbl_client zen.spamhaus.org

Another well-known whitelist is swl.spamhaus.org, so you can also add it to your

configuration.

permit_dnswl_client swl.spamhaus.org,

It’s impossible for an IP address to be listed in Spamhaus whitelist and blacklist at the
same time, so if you only use Spamhaus blacklist in Postfix, then it’s not necessary to
check against Spamhaus whitelist.

My Postfix Spam filters

Here’s a screenshot of my Postfix spam filters.

11/46
You might be wondering why there is no comma in the first two configuration snippets.
Well, you can separate values in Postfix configuration file with space, carriage return or
comma. If you add comma to one parameter ( smptd_recipient_restrictions as in the
above screenshot), then make sure all remaining values are separated with comma.

Postfix Log Report

Pflogsumm is a great tool to create a summary of Postfix logs. Install it on Ubuntu
with:

sudo apt install pflogsumm

On CentOS/RHEL, pflogsumm is provided by the postfix-perl-scripts package.

sudo dnf install postfix-perl-scripts

Use the following command to generate a report for today. (Note that on
CentOS/RHEL, the mail log file is /var/log/maillog .)

sudo pflogsumm -d today /var/log/mail.log

Generate a report for yesterday.

sudo pflogsumm -d yesterday /var/log/mail.log

If you like to generate a report for this week.

12/46
sudo pflogsumm /var/log/mail.log

To emit “problem” reports (bounces, defers, warnings, rejects) before “normal” stats,
use --problems-first flag.

sudo pflogsumm -d today /var/log/mail.log --problems-first

To append the email from address to each listing in the reject report, use --rej-add-
from flag.

sudo pflogsumm -d today /var/log/mail.log --rej-add-from

To show the full reason in reject summaries, use --verbose-msg-detail flag.

sudo pflogsumm -d today /var/log/mail.log --rej-add-from --verbose-msg-detail

You can add a cron job to make pflogsumm to send a report to your email address every
day.

sudo crontab -e

Add the following line, which will generate a report every day at 4:00 AM.

0 4 * * * /usr/sbin/pflogsumm -d yesterday /var/log/mail.log --problems-first --rej-add-from --

verbose-msg-detail -q

To receive the report via email, add the following line above all cron jobs.

MAILTO="your-email-address"

You should pay attention to the message reject detail section, where you can see for
what reason those emails are rejected and if there’s any false positives. Greylisting
rejections are safe to ignore.

If the MAILTO variable has already been set but you want Postfix log summary sent to a
different email address, you can put the following line in your Cron job.

0 4 * * * /usr/sbin/pflogsumm -d yesterday /var/log/mail.log --problems-first --rej-add-from --

verbose-msg-detail -q | mutt -s "Postfix log summary" your-email-address

13/46
The output of pflogsumm command is redirected to mutt , a command line mail user
agent, which will use the output as the email body and send it to the email address you
specify at the end. Of course, you need to install mutt on your Linux server.

sudo apt install mutt

or

sudo dnf install mutt

Tip #7: Set Up OpenDMARC to Reject Emails That Fail DMARC

Check
DMARC (Domain-based Message Authentication, Reporting and Conformance) is an
Internet standard that allows domain owners to prevent their domain names from being
used by email spoofers. Please read one of the following guide to set up OpenDMARC.

Set Up OpenDMARC with Postfix on Ubuntu to Block Email Spoofing

Set Up OpenDMARC with Postfix on CentOS/RHEL to Block Email Spoofing

Don’t be an Open Relay

Mail servers that forward mail on behalf of anyone towards any destination is called
open relay. In the beginning, this is a good thing. As time went by, open relays are
abused by spammers and now open relays are often blacklisted. The following line in
/etc/postfix/main.cf file prevents your email server from being an open relay.

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated

defer_unauth_destination

This line tells Postfix to forward email only from clients in trusted networks, from
clients that have authenticated with SASL, or to domains that are configured as
authorized relay destinations. It should be already in the main configuration file after
you install Postfix.

How to Stop SMTP AUTH Flood from Spammers

After some time, the spammer knew that he cannot get through my spam filter. This bad
actor started flooding my email server with SMTP AUTH connections. In my
/var/log/mail.log file, I can find the following messages.

14/46
Dec 14 09:58:37 email postfix/smtpd[22095]: connect from unknown[117.86.35.119]
Dec 14 09:58:37 email postfix/smtpd[22119]: lost connection after AUTH from
unknown[114.232.141.99]
Dec 14 09:58:37 email postfix/smtpd[22119]: disconnect from unknown[114.232.141.99]
ehlo=1 auth=0/1 commands=1/2
Dec 14 09:58:37 email postfix/smtpd[22119]: connect from unknown[180.120.191.91]
Dec 14 09:58:38 email postfix/smtpd[22095]: lost connection after AUTH from
unknown[117.86.35.119]
Dec 14 09:58:38 email postfix/smtpd[22095]: disconnect from unknown[117.86.35.119]
ehlo=1 auth=0/1 commands=1/2
Dec 14 09:58:38 email postfix/smtpd[22119]: lost connection after AUTH from
unknown[180.120.191.91]
Dec 14 09:58:38 email postfix/smtpd[22119]: disconnect from unknown[180.120.191.91]
ehlo=1 auth=0/1 commands=1/2
Dec 14 09:58:38 email postfix/smtpd[22095]: connect from unknown[49.67.68.34]
Dec 14 09:58:39 email postfix/smtpd[22106]: lost connection after AUTH from
unknown[180.120.192.199]
Dec 14 09:58:39 email postfix/smtpd[22106]: disconnect from unknown[180.120.192.199]
ehlo=1 auth=0/1 commands=1/2
Dec 14 09:58:39 email postfix/smtpd[22095]: lost connection after AUTH from
unknown[49.67.68.34]
Dec 14 09:58:39 email postfix/smtpd[22095]: disconnect from unknown[49.67.68.34] ehlo=1
auth=0/1 commands=1/2
Dec 14 09:58:39 email postfix/smtpd[22119]: connect from unknown[121.226.62.16]
Dec 14 09:58:39 email postfix/smtpd[22119]: lost connection after AUTH from
unknown[121.226.62.16]
Dec 14 09:58:39 email postfix/smtpd[22119]: disconnect from unknown[121.226.62.16]
ehlo=1 auth=0/1 commands=1/2
Dec 14 09:58:39 email postfix/smtpd[22106]: connect from unknown[58.221.55.21]
Dec 14 09:58:40 email postfix/smtpd[22106]: lost connection after AUTH from
unknown[58.221.55.21]
Dec 14 09:58:40 email postfix/smtpd[22106]: disconnect from unknown[58.221.55.21] ehlo=1
auth=0/1 commands=1/2
Dec 14 09:58:47 email postfix/smtpd[22095]: connect from unknown[121.232.65.223]
Dec 14 09:58:47 email postfix/smtpd[22095]: lost connection after AUTH from
unknown[121.232.65.223]
Dec 14 09:58:47 email postfix/smtpd[22095]: disconnect from unknown[121.232.65.223]
ehlo=1 auth=0/1 commands=1/2

Postfix is designed to run even under stressful conditions. It uses a limited amount of
memory, so such attacks are much less effective. However, I don’t want them to appear
in my mail log and we should save smtpd processes for legitimiate SMTP clients,
instead of wasting time dealing with spambots. To stop this kind of flood attack, you can
use fail2ban, which is a set of server and client programs to limit brute force
authentication attempts. Install fail2ban from default Ubuntu repository.

sudo apt install fail2ban

After it’s installed, it will be automatically started, as can be seen with:

sudo systemctl status fail2ban

15/46
The fail2ban-server program included in fail2ban monitors log files and issues
ban/unban command. By default, it would ban a client’s IP address for 10 minutes if the
client failed authentication 5 times. The ban is done by adding iptables firewall rules.
You can check iptables rules by running the following command.

sudo iptables -L

To enable fail2ban on Postifx SMTP AUTH attack, add the following lines in
/etc/fail2ban/jail.local file. If the file doesn’t exist, then create this file.

[postfix-flood-attack]
enabled = true
bantime = 10m
filter = postfix-flood-attack
action = iptables-multiport[name=postfix,
port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp]
logpath = /var/log/mail.log

You can change the bantime to something like 30m or 12h to ban the bad actor for
longer time. If you would like to whitelist your own IP address, add the following line to
tell fail2ban to ignore your IP address. Replace 12.34.56.78 with your own IP address.
Multiple IP addresses are separated by spaces.

ignoreip = 127.0.0.1/8 ::1 12.34.56.78

By default, the allowed max number of failure it 5 times. After 5 failures, the client will
be banned. To specify a customized number of failures, add the following line. Change
the number to your liking.

maxretry = 4

Save and close the file. Then create the filter rule file.

sudo nano /etc/fail2ban/filter.d/postfix-flood-attack.conf

In this file, we specify that if the “lost connection after AUTH from” is found, then ban
that IP address.

[Definition]
failregex = lost connection after AUTH from (.*)\[<HOST>\]
ignoreregex =

Save and close the file. Restart fail2ban the changes to take effect.

sudo systemctl restart fail2ban

In the fail2ban log file ( /var/log/fail2ban.log ), I can find the message like below, which
indicates the IP address 114.223.221.55 has been banned because it failed
authentication 5 times.

16/46
2018-12-14 09:52:15,598 fail2ban.filter [21897]: INFO [postfix-flood-attack] Found
114.223.211.55 - 2018-12-14 09:52:15
2018-12-14 09:52:16,485 fail2ban.filter [21897]: INFO [postfix-flood-attack] Found
114.223.211.55 - 2018-12-14 09:52:16
2018-12-14 09:52:20,864 fail2ban.filter [21897]: INFO [postfix-flood-attack] Found
114.223.211.55 - 2018-12-14 09:52:20
2018-12-14 09:52:21,601 fail2ban.filter [21897]: INFO [postfix-flood-attack] Found
114.223.211.55 - 2018-12-14 09:52:21
2018-12-14 09:52:22,102 fail2ban.filter [21897]: INFO [postfix-flood-attack] Found
114.223.211.55 - 2018-12-14 09:52:22
2018-12-14 09:52:22,544 fail2ban.actions [21897]: NOTICE [postfix-flood-attack] Ban
114.223.211.55

I can also check my iptables.

sudo iptables -L

Output:

Chain f2b-postfix (1 references)

target prot opt source destination
REJECT all -- 195.140.231.114.broad.nt.js.dynamic.163data.com.cn anywhere
reject-with icmp-port-unreachable
RETURN all -- anywhere anywhere

This indicates fail2ban has set up a iptables rule that reject connection from
195.140.231.114.broad.nt.js.dynamic.163data.com.cn , which is a hostname is used by
the spammer.

If you would like to manually block an IP address, run the following command. Replace
12.34.56.78 with the IP address you want to block.

sudo iptables -I INPUT -s 12.34.56.78 -j DROP

If you use UFW (iptables frontend), then run

sudo ufw insert 1 deny from 12.34.56.78 to any

How To Stop Repeat Senders Who Failed Postfix Check

Some spammers use automated tools to send spam. They ignore the Postfix reject
message and continue sending spam. For example, sometimes I can see the following
message in Postfix summary report.

17/46
 504 5.5.2 : Helo command rejected: need fully-qualified hostname; from=
<[email protected]> to=<[email protected]> proto=ESMTP helo= (total: 1)
1 185.191.228.36
504 5.5.2 : Helo command rejected: need fully-qualified hostname; from=
<[email protected]> to=<[email protected]> proto=ESMTP helo= (total: 1)
1 185.191.228.36
504 5.5.2 : Helo command rejected: need fully-qualified hostname; from=
<[email protected]> to=<[email protected]>
proto=ESMTP helo= (total: 1)
1 185.191.228.36
504 5.5.2 : Helo command rejected: need fully-qualified hostname; from=
<[email protected]> to=<[email protected]> proto=ESMTP helo= (total:
1)
1 185.191.228.36
504 5.5.2 : Helo command rejected: need fully-qualified hostname; from=
<[email protected]> to=<[email protected]> proto=ESMTP helo= (total: 1)
1 185.191.228.36
504 5.5.2 : Helo command rejected: need fully-qualified hostname; from=
<[email protected]> to=<[email protected]> proto=ESMTP helo= (total: 1)

This spammer continues sending spam, ignoring the Postfix reject message: Helo
command rejected: need fully-qualified hostname . To stop this kind of behavior, we can
also use Fail2ban by adding the following lines in /etc/fail2ban/jail.local file.

[postfix]
enabled = true
maxretry = 3
bantime = 1h
filter = postfix
logpath = /var/log/mail.log

The [postfix] jail will use the builtin filter shipped with Fail2ban
( /etc/fail2ban/filter.d/postfix.conf ). Save and close the file. Then restart Fail2ban.

sudo systemctl restart fail2ban

Now the spammer will have to wait 1 hour before pounding your mail server again.

Bonus Tip For iRedMail Users

iRedMail automatically configures Postscreen with Postfix. By default, there is a
pregreet test in Postscreen to detect spam. As you may already know, in SMTP
protocol, the receiving SMTP server should always declare its hostname before the
sending SMTP server does so. Some spammers violate this rule and declare their
hostnames before the receiving SMTP server does.

Sometimes I can see the following lines in /var/log/mail.log file, which indicates that
this sender declare its hostname first. This spammer just want to pound my mail server
with endless connections, but has no intent to send any email. And the EHLO hostname
ylmf-pc is a clear indication that these connections are originated from compromised
home computers. ( ylmf is an acronym for the defunct Chinese Linux distro: 雨林木风.)
18/46
PREGREET 14 after 0.22 from [121.226.63.86]:64689: EHLO ylmf-pc\r\n
PREGREET 14 after 0.24 from [121.232.8.131]:55705: EHLO ylmf-pc\r\n
PREGREET 14 after 0.24 from [114.232.9.57]:62783: EHLO ylmf-pc\r\n

iRedMail ships with a fail2ban rule to filter this kind of malicious activities. You can see
the following line in /etc/fail2ban/filter.d/postfix.iredmail.conf file.

PREGREET .* from \[<HOST>\]:.* EHLO ylmf-pc

But I think the default bantime (1 hour) for this filter to too low. Open the
/etc/fail2ban/jail.local file and add a custom bantime parameter like below.

[postfix-iredmail]
enabled = true
max-retry = 1
bantime = 24h
filter = postfix.iredmail
logpath = /var/log/mail.log

I set the bantime value to 24 hours because the sender is clearly using compromised
home computers. Save and close the file. Restart fail2ban the changes to take effect.

sudo systemctl restart fail2ban

Running Local DNS Resolver to Speed Up DNS Lookups

As you can see, Postfix will need to lookup DNS records in order to analyze each SMTP
dialog. To speed up DNS lookups, you can run a local DNS resolver by following on the
tutorials below.

And most DNS blacklists have query limit. Running your own local DNS resolver to
cache DNS records can help you stay under the query limit.

Next Step
I hope these 7 Postfix anti spam measures helped you block email spam. You may also
want to deploy a content filter such as SpamAssassin to better detect spam.

As always, if you found this post useful, then subscribe to our free newsletter to get
more tips and tricks. Take care

Rate this tutorial

[Total: 31 Average: 4.9]

You may also like:

Run Your Own Email Server on CentOS 8/RHEL 8 - Postfix SMTP Server

Set Up OpenDMARC with Postfix on Ubuntu to Block Email Spoofing/Spam

19/46
7 Effective Tips for Blocking Email Spam with Postfix on CentOS/RHEL

How to Set Up SMTP Relay Between 2 Postfix SMTP Servers on Ubuntu

Mail Server IP Blacklist Removal Tips to Improve Email Deliverability

Enable SMTPS Port 465 in Postfix SMTP Server For Email Submission

Block Email Spam with Postfix and SpamAssassin Content Filter

How to Set up a Backup Email Server with Postfix on Ubuntu (Complete Guide)

63 Responses to “7 Effective Tips for Blocking Email Spam with Postfix

SMTP Server”

Vladimír

2 years ago
Reply
Nice! Thanks for ideas.

Joshua Campbell

2 years ago
Reply
Really helpful. I currently pay for web hosting and a mail server but my 3 year
contract is ending soon and have been researching methods on hosting this on an
easy to deploy Vultr instance. Thanks for the spam filter information!!

20/46
Mark

2 years ago
Reply
For several days I trying to set up and secure mail server. It’s probably okay, but I
still have questions.
1. GreyList.
In your “How to Easily Set Up a Full-Featured Mail Server on Ubuntu 18.04 with
iRedMail” you wrote: “By default, iRedMail has enabled greylisting”. What is
better: default iRedMail greylist or Postgrey? If I install Postgrey, should I disable
default iRedMail greylist?
2. Fail2ban.
In my version of iRedMail in filter.d/postfix.iredmail.conf file I have something
like similar line:

"failregex = \[\]: SASL (PLAIN|LOGIN) authentication failed

lost connection after (AUTH|UNKNOWN|EHLO) from (.*)\[\]"

Is this the same rule or I still should add your [postfix-auth] to my jail.local?
And in my jail.local is only one jail [DEFAULT] – is this correct?

Xiao Guo An (Admin)

2 years ago
Reply
If you use iRedMail to set up your mail server, I recommend using the
default iRedMail greylisting service and the default Fail2ban jails.

I would use Postgrey and create my custom Fail2ban jails if I set up mail
server from scratch.

21/46
deibis

1 year ago
Reply
Excelente post compa gracias por el aporte.
Aunque actualemtne tengo el siguiente problema:

Feb 14 10:20:15 host postfix/smtpd[27908]: connect from

190121128161.ip41.static.mediacommerce.com.co[190.121.128.161]
Feb 14 10:20:15 host postfix/smtpd[27877]: Anonymous TLS connection established
from unknown[170.210.208.10]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Feb 14 10:20:15 host postfix/smtpd[28197]: Anonymous TLS connection established
from unknown[190.129.24.236]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384
(256/256 bits)

alguna idea de como bloquear esas IP a traves del csf de firewall de centos

kde35

1 year ago
Reply
Hi, this is nice, but my postfix server accepts mails from local network
(192.168.1.xxx) as well as localhost,
so if I follow one of your first four tips, then it will stop sending mails from local
network, am I right?

Xiao Guo An (Admin)

1 year ago
Reply
These tips are used to block inbound spam from other SMTP servers. Your
own users on the local network and localhost can send emails as usual.

Xiao Guo An (Admin)

1 year ago
Reply
I assume by “accept” you mean outbound emails are submitted to Postfix
from local network and localhost, which is different than accepting inbound
emails from other SMTP servers.

22/46
webrunner

1 year ago
Reply
fail2ban-client status
cat /var/log/auth.log | grep ‘Failed password’ – Debian
cat /var/log/secure | grep ‘Failed password’ – Centos

webrunner

1 year ago
Reply
check_policy_service unix:private/policyd-spf – this blocks gmail and other
external mailservers, even if maillog show, that gmail is whitelisted.

Xiao Guo An (Admin)

1 year ago
Reply
Sorry if I didn’t explain it well. You need to follow this tutorial to implement
SPF checking.

In practice, SPF is more useful when you combine it with DKIM to enforce
DMARC record checking to stop spammers impersonating other person’s
domain name.

Sunil Kumar

9 months ago
Reply
What if I am using CSF ?

23/46
Breen

1 year ago
Reply
I sent email from “http://www.anonymailer.net” and I got this response in maillog
postfix/smtpd[15785]: NOQUEUE: reject: RCPT from unknown[10.230.220.57]:
450 4.7.1 Client host rejected: cannot find your reverse hostname,
[10.230.220.57]; from= to= proto=ESMTP helo=

Then, I sent email from my gmail account, I get the same (which is not expected)
postfix/smtpd[15785]: NOQUEUE: reject: RCPT from unknown[10.230.220.56]:
450 4.7.1 Client host rejected: cannot find your reverse hostname,
[10.230.220.56]; from=" to= proto=ESMTP helo="

Here is my postfix config:

smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
reject_unknown_helo_hostname

smtpd_sender_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unknown_sender_domain,
reject_unknown_reverse_client_hostname,
reject_unknown_client_hostname

smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_rhsbl_helo dbl.spamhaus.org,
reject_rhsbl_reverse_client dbl.spamhaus.org,
reject_rhsbl_sender dbl.spamhaus.org,
reject_rbl_client zen.spamhaus.org

Xiao Guo An (Admin)

1 year ago
Reply
10.230.220.56 doesn’t seem to be Google’s IP address. Every IP address
owned by Google has a reverse DNS record.

24/46
Jack

1 year ago
Reply
Hi, thanks for your post. Let me say my IMHO:
Guys, don’t use greylisting in your postfix config. Because of different
implementation many mail servers can attempt second connection through very
long time instead of your server advised. Your mail can be delayed for a long time,
it’s not good idea for 21 century

Alan

1 year ago
Reply
These seem quite sensible. When I implemented the HELO checks, however, I
started to get emails to my local Postmanster account with subject lines like

Postfix SMTP server: errors from rrcs-162-155-179-

211.central.biz.rr.com[162.155.179.211]

I assume these are notifying me of rejected messages. How can I suppress these
notification emails?

Xiao Guo An (Admin)

1 year ago
Reply
Postfix by default does not report rejected messages. Getting this kind of
email probably means there’s something wrong with your mail server.
Usually you can see the reason at the bottom of the email.

25/46
Nikolay

1 year ago
Reply
for what version of postfix is this?

I find lots of options different from my own. I use bit old version –

mail_version = 2.10.1

but this is what I get with CentOS 7. Should I consider upgrade?

Xiao Guo An (Admin)

1 year ago
Reply
Postfix 3.x on Debian/Ubuntu.

There are several options that are different in Postfix 2.x. You can find the
equivalent in Postfix documentation.

26/46
Pauli

12 months ago
Reply
I made it a bit different.

I scheduled download of spammers list IP addresses from

https://lists.blocklist.de/lists/mail.txt and new addresses I add to previously
downloaded lists. So the list get bigger every day.

When in the list is more then 20 addresses in one range then I block the entire
range eg. 176.221.42.0/24.

Example of postfix_blocklist_de file:

176.221.42.0/24 REJECT Your IP range is spam added by postfix_blocklist_de since

2019-08-15

Postfix conf main.cf:

smtpd_recipient_restrictions =
check_client_access cidr:/root/firewall/postfix_blocklist_de.list

I made some whois checking that I do not block IPs registered to well known
brands/partners and countries.

I also made whitelisting feature. Since I made this, we eliminated 99.99% of spam.
Of course I filtered from log all blocked addresses to check if there is some false
blocking and in two months is no regular email blocked.

Sorry for the English, but certainly you have a clue what have I done

Peet Verstraten

10 months ago
Reply
These tips helped me perfectly to block spammers and SMTP AUTH requests from
our Zentyal email server. Thanks a lot !

27/46
Fernando

9 months ago
Reply
Hello,

My server is sending spam emails with my Postfix.

How can that be done? What happened here? Did the get the root password?

Thanks

Sunil Kumar

9 months ago
Reply
I too looking for same.

28/46
Matteo

8 months ago
Reply
Thanks for your advice, they helped me a lot!
Just a question: pflogsumm configured as you say it sends me a summary email
but graylisting warning lines are also included, can they be omitted in some way?

Xiao Guoan (Admin)

8 months ago
Reply
Perhaps you can pipe the pflogsumm report to sed , which deletes the lines
that contain the word “greylisting”. Of course you need to know how to use
the sed editor.

Matteo

8 months ago
Reply
Yes! I’ve used the command

sed '/Greylisted/,+1 d'

to remove the lines containing the word “Greylisted” and the line
directly after it.
thanks!

Philips

7 months ago
Reply
For the past three years, I am running an email server but receiving a lot of spam.
With the help of the technical team, I have learned to block email spam with the
Postfix SMTP server. Meanwhile, I have signed up with EasySendy and Mailgun
for delivering email newsletters and leveraging sales process.

29/46
Mike Johnson

7 months ago
Reply
Hi,

How can postfix be configured to forward email for multiple domains while using
TLS terminated behind a F5? Issues we are running into are ehlo banner
hostname and TLS cert designation. DO I need a SAN certificate? Does actual
hostname of the mailserver need to align with SAN entry? confused?

Mike

Jesper R

7 months ago
Reply
I think you fail to properly explain the repercussions that enabling
reject_unknown_reverse_client_hostname and
reject_unknown_client_hostname can have. First of all I think it is important to
make it clear that setting these effectively makes sure that your mail server will not
accept mails from people running their own mail servers on home internet
connections where the PTR is either rarely set or can not be changed by the
customer.

I also think that it is worth mentioning that if the mail server fails for resolve the
PTR due to a DNS error, then it leads to delays in mail delivery because reject a
mail with 450 means that the sending mail server will have to retry at a late time.
Lastly I think the assumption “Their IP addresses don’t have PTR records.” is just
wrong, and not only spammers have missing PTR records, and enabling these two
setting should be discouraged as they inevitably will lead to false positives and lost
or delayed mail. You really shouldn’t recommend these kinds of over
approximations but instead push for interoperability.

30/46
Xiao Guoan (Admin)
7 months ago
Reply
First of all, you shouldn’t run a mail server with a home IP address, which
often has bad IP reputation (dynamic IP) and doesn’t have PTR record. If
you really want to run a mail server at home, you should set up SMTP relay.
There are many SMTP relay services that offer free quotas, which is enough
for people who run mail server at home.

How to Set up Postfix SMTP Relay on Ubuntu with Mailjet

How to Set up Postfix SMTP Relay on Debian with Mailjet
How to Set up Postfix SMTP Relay on CentOS with Mailjet

SMTP relay services have PTR records for their servers. So if you don’t have
PTR record, use SMTP relay service.

Facebook rejects any IP address that doesn’t have PTR record. Convince
Facebook before trying to convince me not to use PTR restriction.

host smtpin.vvv.facebook.com[69.171.251.251] refused to talk to me: 554 5.1.8

DNS-P3 No PTR Record https://www.facebook.com/postmaster/response_codes

So is the case with GMX.

host mx00.gmx.net[212.227.15.10] refused to talk to me: 554-gmx.net

(mxgmx015) Nemesis ESMTP Service not available 554-No SMTP service 554-Bad
DNS PTR resource record

Gmail rejects emails sent from IPv6 that doesn’t have PTR record.

host gmail-smtp-in.l.google.com[2404:6800:4003:c03::1b] said: 550-5.7.1

[2001:19f0:4400:74f8:5400:2ff:fedd:c0bf] Our system has detected that 550-5.7.1
this message does not meet IPv6 sending guidelines regarding PTR 550-5.7.1
records and authentication. Please review 550-5.7.1
https://support.google.com/mail/?p=IPv6AuthError for more information

SpamRats have a blacklist for IP addresses that don’t have PTR records.

The SMTP protocol (RFC 2821) recommends that sending SMTP server
should retry failed email delivery at least 4-5 days. It’s the case for Postfix
SMTP server. And you can configure your mail server to use multiple DNS
servers to prevent DNS failure. That’s not hard to do. It’s common for mail
servers to query DNS-based blacklist (DNSBL), also known as realtime
blacklist (RBL), such as Spamhaus, to reject connections from spammers.
You can’t even send emails when your DNS doesn’t work properly. If you
worry about DNS failure, that indicates you are not qualified to run your own
email server.

31/46
Chris

7 months ago
Reply
But there is another problem with the reject_unknown_reverse_client_hostname
IP heck. IIUIC, this would reject any mail server which is on a local LAN behind a
firewall but with valid PTR for the Public IP address NAT’s to the server – even if
it has full DMARC and DKIM compliance.

Given the shortage of IPv4 public IP addresses, this is a real issue and until IPv6
becomes common, likely to be an increasing one.

Xiao Guoan (Admin)

7 months ago
Reply
The receiving SMTP server doesn’t know the local LAN IP address of the
sending SMTP server. It thinks the connection is coming from the
router/gateway. That’s how NAT Works.

So, reject_unknown_reverse_client_hostname has no problem with NAT at

all.

Chris

7 months ago
Reply
I recently did a check using an online mail deliverability tool and spf reported the
delivery from the lan to my ‘public’ server on the lan (which has a local IP address
and not the public address) IIRC. However, I guess it could have been the mail
client not the server that was being reported – which would make sense.

I had always assumed that NATing would work the way you suggested, but that
report made me wonder.

Xiao Guoan (Admin)

7 months ago
Reply
You mean you have two mail servers in the LAN? Communications in the
LAN uses local IP address. You can always add you LAN to Postfix
mynetworks parameter, so any IP address in the LAN won’t be affected by
reverse IP check.
32/46
Chris

7 months ago
Reply
No, a single mx server. The report even detailed internal passage to and from the
virus scanner, or it may have been another component … I can’t recall.

It showed a lan address -> lan address -> 127.0.0.1 -> public ip routing.

Test involved sending an email and the header being examined.

Xiao Guoan (Admin)

7 months ago
Reply
I did once see a spam with the following email flow.

lan address -> lan address -> 127.0.0.1 -> public ip routing.

Such mail server has serious internal design flaw, but it’s not related to PTR
check (reject_unknown_reverse_client_hostname). PTR check happens in
the SMTP dialog phase and it doesn’t scan email headers.

33/46
chris

7 months ago
Reply
It is a plain iredmail install so any internal flaws are inherent in that packaging.

I was particularly drawn to this series so I could better understand the

complexities of a mailserver (as you suggested in your opening paragraphs of Part
1) and this discussion has further aided that education. I intended from the outset
to build and maintain a new server from scratch – which I will do once I have the
series completed. It is very helpful.

I am enjoying your series vet much. Linuxbabe is my goto for any guides – always
dependable. Thank you for your very thorough work.

Xiao Guoan (Admin)

6 months ago
Reply
I now remember that it’s an email server hosted by GoDaddy
(secureserver.net) with such email flow.

lan address -> lan address -> 127.0.0.1 -> public ip routing

Actually iRedMail is not like that. The email flow sent from iRedMail servers
is:

127.0.0.1 -> public ip routing

Darren

6 months ago
Reply
this was a great help, cut down spam by about 90%

34/46
Alex

6 months ago
Reply
If I add a 2nd and 3rd MX records, do I need to ADD a lets encrypt certificate for
each additional domain MAIL2 and MAIL3?
And do I need to configure them in postfix as well?

Xiao Guoan (Admin)

6 months ago
Reply
Adding a second MX record is enough to skip greylisting. Adding a third MX
record isn’t necessary.

Simply add mail2.yourdomain.com to your Apache or Nginx virtual host file

like

server_name mail.yourdomain.com mail2.yourdomain.com;

Reload Nginx. Then obtain a multi-domain Let’s Encrypt certificate.

sudo certbot certonly --nginx --agree-tos --email [email protected] --

cert-name mail.yourdomain.com --domain
mail.yourdomain.com,mail2.yourdomain.com

Once the certificate is obtained, simply restart Nginx, Postfix and Dovecot.

sudo systemctl restart nginx postfix dovecot

Nginx, Postfix and Dovecot will now use the multi-domain certificate.

35/46
Alex

5 months ago
Reply
I think I got banned from ICLOUD.COM because of this “host
mx6.mail.icloud.com[17.178.97.79] refused to talk to me: 550 5.7.0 Blocked”

Can you help with?

Xiao Guoan (Admin)

5 months ago
Reply
Read the Postmaster information for icloud mail. Basically you need to send
an email to the icloud postmaster team to ask for removal of your IP address
from the blacklist.

Alex

5 months ago
Reply
Thank You so much.

36/46
Alex

4 months ago
Reply
Hello there,

I do have a problem, the “web server – www.MyDomain” is on another IP and

over there fail2ban sends the daily email summary to my “mail server” and it goes
to “greaylist” for obvious reason. How do I resolve this?

Thank you.

Xiao Guoan (Admin)

4 months ago
Reply
You can edit the /etc/postfix/main.cf file and find the mynetworks
parameter.

mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128

Add your web server’s IP address to mynetworks . Replace 12.34.56.78 with

your real IP address. So your web server won’t be greylisted.

mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 12.34.56.78

Save and close the file. Then restart Postfix.

sudo systemctl restart postfix

maximumwarp

3 months ago
Reply
Hello and thank you for your awesome guide.
I’m following all the steps but I have a problem:
if I insert these lines in

/etc/postfix/main.cf

I can’t receive mails:

37/46
policyd-spf_time_limit = 3600
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
check_policy_service unix:private/policyd-spf,
check_policy_service inet:127.0.0.1:10023,
check_client_access hash:/etc/postfix/rbl_override,
reject_rhsbl_helo dbl.spamhaus.org,
reject_rhsbl_reverse_client dbl.spamhaus.org,
reject_rhsbl_sender dbl.spamhaus.org,
permit_dnswl_client list.dnswl.org=127.0.[0..255].[1..3],
reject_rbl_client zen.spamhaus.org

Xiao Guoan (Admin)

3 months ago
Reply
Check your mail log file (/var/log/mail.log) to find out what’s wrong.

maximumwarp

3 months ago
Reply
If I comment that lines everything works.

If I uncomment policyd-spf_time_limit = 3600 in /var/log/mail.err I

read:

Apr 29 07:00:59 curseofpi opendkim[1649]: D2C681603A3: key retrieval

failed (s=20161025, d=gmail.com): '20161025._domainkey.gmail.com'
query timed out
Apr 29 07:05:10 curseofpi opendkim[1649]: 328C41607A3: key retrieval
failed (s=20161025, d=gmail.com): '20161025._domainkey.gmail.com'
query timed out

If I uncomment the smtpd_recipient_restrictions lines, I read:

Apr 29 06:03:52 curseofpi postfix/smtpd[23155]: error: open database

/etc/postfix/rbl_override.db: No such file or directory
Apr 29 06:10:26 curseofpi postfix/smtpd[23771]: error: open database
/etc/postfix/rbl_override.db: No such file or directory
Apr 29 06:16:10 curseofpi postfix/smtpd[24000]: error: open database
/etc/postfix/rbl_override.db: No such file or directory

Yesterday I moved /var/log/mail.log to /var/log/mail.log.bak to have a

clean log but a new /var/log/mail.log weren’t created by the system…

38/46
 Xiao Guoan (Admin)
3 months ago
Reply

20161025._domainkey.gmail.com' query timed out

Your DNS resolver is not working.

open database /etc/postfix/rbl_override.db: No such file or directory

Your forgot to run this command:

sudo postmap /etc/postfix/rbl_override

Restart Postfix after running the above command.

sudo systemctl restart postfix

maximumwarp

3 months ago
Reply
Thank you, “open database /etc/postfix/rbl_override.db: No such file
or directory” problem solved!

Sebastiaan

3 months ago
Reply
Ever since setting this up I’ve managed to get spam sent to one of my email
addresses, sent FROM my server. The spammer didn’t just spoof my from address
but it appears the email actually processed through my server when I examine the
raw source of the email. DKIM is in there and looks to be correct. This is the raw
source of one of the emails

39/46
Return-Path:
Delivered-To: [email protected]
Received: from my-domain.com
by my-domain.com with LMTP
id DnMyOUrmtl4nJAAAz5pt0Q
(envelope-from )
for ; Sat, 09 May 2020 19:20:10 +0200
Received: from www.my-domain.com (my-domain.com [my-vps-ip])
by my-domain.com (Postfix) with ESMTPSA id D6BB21388DC
for ; Sat, 9 May 2020 19:20:10 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=my-domain.com;
s=default; t=1589044810;
bh=a3ZcB1JPs8G/6Vjk02Kw6aw+tRhBodL9r/mEDwRzQmE=;
h=Date:To:From:Reply-To:Subject:From;
b=oht/iF3jok5fo6MWKHQA3nyA1WSnoRHjaamIMM41EltsdzZNnCqbHTCegVBg3uOZg
+axnbUX3Zqu0OSOog+0VNMj1ky3MNm0vtzmJQsRA8sF+Y0G4iDtYgOwkthzEO68ktN
7fmtbZVQmvCZj7/Cd4ECa1HuakfSZaJCqq+rsvXw=
Date: Sat, 9 May 2020 17:20:10 +0000
To: [email protected]
From: Whole Latte Coffee
Reply-To: [email protected]
Subject: Subject: Hi nice website https://google.com
Message-ID:
X-Mailer: WPMailSMTP/Mailer/smtp 2.0.1
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8

From: Hi nice website https://google.com

Subject: Hi nice website https://google.com

Message Body:
Hi nice website https://google.com

I have edited my domain name to my-domain.com and edited the Reply-To email.
The IP in the received line was actually my VPS IP address. The google.com links
were all in the original email believe it or not.

I checked my logs for the id in the “Received” part in the headers as well as the
message-id and found this:

May 9 19:20:10 my-domain postfix/submission/smtpd[9250]: connect from my-

domain.com[my-vps-ip]
May 9 19:20:10 my-domain postfix/submission/smtpd[9250]: Anonymous TLS
connection established from my-domain.com[my-vps-ip]: TLSv1.3 with cipher
TLS_AES_256_GCM_SHA384 (256/256 bits)
May 9 19:20:10 my-domain dovecot: auth: Debug: auth client connected (pid=0)
May 9 19:20:10 my-domain dovecot: auth: Debug: client in:
AUTH#0111#011LOGIN#011service=smtp#011nologin#011lip=my-vps-ip#011rip=my-
vps-ip#011secured
May 9 19:20:10 my-domain dovecot: auth: Debug: client passdb out:
CONT#0111#011VXNlcm5hbWU6
May 9 19:20:10 my-domain dovecot: auth: Debug: client in: []removed] (previous
40/46
base64 data may contain sensitive data)
May 9 19:20:10 my-domain dovecot: auth: Debug: client passdb out:
CONT#0111#011UGFzc3dvcmQ6
May 9 19:20:10 my-domain dovecot: auth: Debug: client in: [removed] (previous
base64 data may contain sensitive data)
May 9 19:20:10 my-domain dovecot: auth: Debug: sql([email protected],my-vps-ip):
Performing passdb lookup
May 9 19:20:10 my-domain dovecot: auth-worker(9246): Debug: conn unix:auth-worker
(pid=9162,uid=118): auth-worker: Handling PASSV request
May 9 19:20:10 my-domain dovecot: auth-worker(9246): Debug: sql(info@my-
domain.com,my-vps-ip): Performing passdb lookup
May 9 19:20:10 my-domain dovecot: auth-worker(9246): Debug: sql(info@my-
domain.com,my-vps-ip): query: SELECT username AS user,password FROM mailbox
WHERE username = '[email protected]' AND active='1'
May 9 19:20:10 my-domain dovecot: auth: Debug: sql([email protected],my-vps-ip):
Finished passdb lookup
May 9 19:20:10 my-domain dovecot: auth: Debug: auth([email protected],my-vps-
ip): Auth request finished
May 9 19:20:10 my-domain dovecot: auth: Debug: client passdb out:
OK#0111#[email protected]
May 9 19:20:10 my-domain dovecot: auth-worker(9246): Debug: sql(info@my-
domain.com,my-vps-ip): Finished passdb lookup
May 9 19:20:10 my-domain dovecot: auth-worker(9246): Debug: conn unix:auth-worker
(pid=9162,uid=118): auth-worker: Finished
May 9 19:20:10 my-domain postfix/trivial-rewrite[9251]: warning: do not list domain
my-domain.com in BOTH mydestination and virtual_mailbox_domains
May 9 19:20:10 my-domain postfix/trivial-rewrite[9251]: warning: do not list domain
my-domain.com in BOTH mydestination and virtual_mailbox_domains
May 9 19:20:10 my-domain postfix/submission/smtpd[9250]: D6BB21388DC:
client=my-domain.com[my-vps-ip], sasl_method=LOGIN, sasl_username=info@my-
domain.com
May 9 19:20:10 my-domain postfix/cleanup[9252]: D6BB21388DC: message-id=
May 9 19:20:10 my-domain postfix/submission/smtpd[9250]: disconnect from my-
domain.com[my-vps-ip] ehlo=2 starttls=1 auth=1 mail=1 rcpt=1 data=1 quit=1
commands=8
May 9 19:20:10 my-domain postfix/qmgr[22666]: D6BB21388DC: from=, size=823,
nrcpt=1 (queue active)
May 9 19:20:10 my-domain postfix/trivial-rewrite[9251]: warning: do not list domain
my-domain.com in BOTH mydestination and virtual_mailbox_domains
May 9 19:20:10 my-domain dovecot: lmtp(9255): Connect from local
May 9 19:20:10 my-domain dovecot: auth: Debug: master in:
USER#0111#[email protected]#011service=lmtp
May 9 19:20:10 my-domain dovecot: auth: Debug: sql([email protected]):
Performing userdb lookup
May 9 19:20:10 my-domain dovecot: auth-worker(9246): Debug: conn unix:auth-worker
(pid=9162,uid=118): auth-worker: Handling USER request
May 9 19:20:10 my-domain dovecot: auth-worker(9246): Debug: sql(info@my-
domain.com): Performing userdb lookup
May 9 19:20:10 my-domain dovecot: auth-worker(9246): Debug: sql(info@my-
domain.com): SELECT maildir, 2000 AS uid, 2000 AS gid FROM mailbox WHERE
username ='[email protected]' AND active='1'
May 9 19:20:10 my-domain dovecot: auth-worker(9246): Debug: sql(info@my-
domain.com): Finished userdb lookup
May 9 19:20:10 my-domain dovecot: auth-worker(9246): Debug: conn unix:auth-worker
41/46
(pid=9162,uid=118): auth-worker: Finished
May 9 19:20:10 my-domain dovecot: auth: Debug: sql([email protected]): Finished
userdb lookup
May 9 19:20:10 my-domain dovecot: auth: Debug: userdb out:
USER#0111#[email protected]#011maildir=my-
domain.com/info/#011uid=2000#011gid=2000
May 9 19:20:10 my-domain dovecot: lmtp([email protected]): msgid=: saved mail
to INBOX
May 9 19:20:10 my-domain postfix/lmtp[9254]: D6BB21388DC: to=, relay=my-
domain.com[private/dovecot-lmtp], delay=0.09, delays=0.06/0.01/0.01/0, dsn=2.0.0,
status=sent (250 2.0.0 DnMyOUrmtl4nJAAAz5pt0Q Saved)
May 9 19:20:10 my-domain postfix/qmgr[22666]: D6BB21388DC: removed
May 9 19:20:10 my-domain dovecot: lmtp(9255): Disconnect from local: Client has quit
the connection (state=READY)

Again, my-domain is me. The ip address in “connect from my-domain.com[my-

vps-ip]” is actually my VPS IP.

Over the past few days I have received two of these emails, this being the most
recent one. I have followed these tutorials to the letter and everything is set up
you’ve said except for the greylisting.

Xiao Guoan (Admin)

3 months ago
Reply
This spam was generated on your WordPress site, perhaps through a contact
form, or a comment area. Your WordPress site automatically sends the
message to your email address.

Sebastiaan

3 months ago
Reply
The Xmailer header right? That’s what I thought initially too. I’ve
disabled the “WP Mail SMTP” plugin for now as it seems I no longer
need it. We’ll see what happens. Thanks for the reply btw, I appreciate
it a great deal =)

42/46
Viktor

3 months ago
Reply
Hi,

is there any way to use IMSVA from Trend Micro with postfix + dovecot? I searche
dand searched but cannot find how to set it up with IMSVA.

Thank you!

Ron Jones

2 months ago
Reply
Excellent work again! Everything seems to work as it should.
I had to make a minor change to my pflogsumm crontab entry in order to make it
work for me (in order to get my morning report).

At the top of my root crontab is my admin email address.

MAILTO="[email protected]"

Followed by the first line of crontab, which shows the order of cron commands

# m h dom mon dow command

Here is the actual command string that I used to get it to send.

28 7 * * * /usr/bin/perl /usr/sbin/pflogsumm -d yesterday /var/log/mail.log --problems-

first --rej-add-from --verbose-msg-detail -q

I chose 07:28 so that it would run in time to hit my mailbox right before I come
down to my office.
The big change for me (Ubuntu 20.04 server) was to call

/usr/bin/perl

to run the pflogsumm program.

Finally, I was able to drop off Mutt, and the mailing instructions because I’ve got
my email address at the top of the file.

Hope that helps someone.

43/46
saurav

2 months ago
Reply
how to stop unauthenticated users to send e-mails neither locally nor remotely?
from port:465 ssl

germs

2 months ago
Reply
Am using CentOS8 (release 8.1) and trying to implement the SMTP AUTH flood
attack as you stated. The filter is detecting the attack but firewalld is not banning
the IP addresses.

[postfix-flood-attack]

enabled = true
bantime = 1h
filter = postfix-flood-attack
action = firewallcmd-ipset
port = http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve
protocol = tcp
logpath = /var/log/maillog

44/46
RS BARI

3 weeks ago
Reply
I try to this command:

root@mail:~# sudo postmap /etc/postfix/helo_access

postmap: warning: /etc/postfix/main.cf, line 112: overriding earlier entry:
smtpd_helo_restrictions=permit_mynetworks permit_sasl_authenticated

And this is my main.cf file:

smtpd_sender_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unknown_reverse_client_hostname

smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks
permit_sasl_authenticated

smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks
permit_sasl_authenticated
check_helo_access hash:/etc/postfix/helo_access
reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname
reject_unknown_helo_hostname

Whats wrong Xiao?

Xiao Guoan (Admin)

3 weeks ago
Reply
Very simple, you have duplicate parameters in main.cf file.

45/46
 Matthieu

27 seconds ago
Reply
Dear Xiao,

Thanks for the great tutorial.

PS.: Please check the pflogsumm example, the parameter –problems-first needs to
be changed to –problems_first.

Cheers,

Matthieu

Leave a Comment
Comments with links are moderated by admin before published.
Your email address will not be published.
Use <pre> ... </pre> HTML tag to quote the output from your
terminal/console.
Please use the community ( https://community.linuxbabe.com) for questions
unrelated to this article.
I don't have time to answer every question. Making a donation would incentivize
me to spend more time answering questions.

The maximum upload file size: 2 MB.

You can upload: image.

46/46