Tightening SPAM control on ISPConfig Server

Recently one of my clients shifted from Plesk to ISPConfig, and I was asked to setup ISPConfig control panel on it. We followed an ISPConfig How-to from howtoforge.com . The installation was (almost) a breeze. Migration from plesk to ISPConfig was quite painful. But anyway, we did it.

Later when the system went live and remained in production for more than a week, we noticed that there is a lot of spam coming in. The postfix mail server needed some additional armor. I wanted some important checks, such as helo, RBL and SPF. Below is how I added that extra level of protection.

 

First, I want to thank and acknowledge the authors of following web pages, which helped me in achieving this:

 

http://www.wains.be/index.php/2006/04/04/postfix-spf/

http://www.freesoftwaremagazine.com/articles/focus_spam_postfix?page=0%2C2

http://www.howtoforge.com/postfix_spf

 

For SPF, I downloaded the postfix-SPF (module/plugin) from http://www.openspf.org/blobs/postfix-policyd-spf-perl-2.007.tar.gz , and installed it as following:

 

cd /root/

wget http://www.openspf.org/blobs/postfix-policyd-spf-perl-2.007.tar.gz

tar xzf postfix-policyd-spf-perl-2.007.tar.gz

cp postfix-policyd-spf-perl-2.007/postfix-policyd-spf-perl /usr/libexec/postfix/

chmod +x /usr/libexec/postfix/postfix-policyd-spf-perl

 

Then I had to add the following text (it is one /single long line) to bottom of /etc/postfix/master.cf :-

 

vi /etc/postfix/master.cf

spfpolicy unix – n n – 0 spawn user=nobody argv=/usr/libexec/postfix/postfix-policyd-spf-perl

 

Notes:

  • You can use Tabs instead of spaces in the line above. Refer to INSTALL file which comes with the tarball.
  • The INSTALL file uses the word policy, instead of spfpolicy, as shown here. It does not matter. Whatever you choose to use, make sure that you use the same in master.cf and main.cf files.

 

I then edited my /etc/postfix/main.cf file and added the following text. The text below contains SPF checks, RBL checks, invalid helo checks, invalid host-name checks, etc.

 

vi /etc/postfix/main.cf

. . .

(Change the following line:)

smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf

 

(Change to:)

smtpd_sender_restrictions = reject_non_fqdn_sender, reject_unknown_sender_domain, check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf, permit

 

Note: The line above is single line.

 

(Then add the following text:)

policy_time_limit = 3600smtpd_delay_reject = yes

smtpd_helo_required = yes

smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_hostname, reject_invalid_hostname, permit

smtpd_recipient_restrictions = reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, check_policy_service unix:private/spfpolicy, permit

 

Note: smtpd_* lines shown above are individual long single lines. (Tip: smtpd_* till permit is one line.)

 

After you save this file, restart postfix service :

 

service postfix restart

 

 

You May Also Like

Leave a Reply

Your email address will not be published. Required fields are marked *