Enhanced e-mail SPAM protection in ISPConfig 3

Monday, November 21, 2011 posted by Till

The command below enables a stricter SPAM handling for postfix on ISPConfig 3 servers.

In Detail:

  • Reject sender hostnames with invalid syntax
  • Reject sender hostnames that are no fully qualified domains (e.g. reject "server1" but allow server1.domain.tld)
  • Reject sender domains that have no DNS records
  • Check sender IP addresses against realtime blacklists.

First make a backup of the postfix main.cf file in case that you want to reverse the changes later:

cp -pf /etc/postfix/main.cf /etc/postfix/main.cf.bak

Then execute this command to enable the additional spam protection functions (the command is one line!).

postconf -e 'smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_hostname, reject_non_fqdn_hostname, reject_unknown_recipient_domain, reject_non_fqdn_recipient, reject_unauth_destination, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_rbl_client cbl.abuseat.org,reject_rbl_client dul.dnsbl.sorbs.net,reject_rbl_client ix.dnsbl.manitu.net, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination'

Then restart postfix:

/etc/init.d/postfix restart

Be Sociable, Share!



7 Responses to “Enhanced e-mail SPAM protection in ISPConfig 3”

  1. kyle says:

    postconf: fatal: missing ‘=’ after attribute name: “???smtpd_recipient_restrictions”

    Comes up when trying above command.

    • Till says:

      This is one command. Please copy the command and execute it on the shell (e.g. with a ssh client like putty) as one single line.

      • hubere says:

        Hi Till,

        I received the same error message. I changed the apostrophe chars from ‘ to ‘ and it was fine

        greets
        Erik

        • Till says:

          Hi, thats a problem with our cms system here that changes the apostrophe. I had fixed that some time ago but it seems that a update reintroduced that problem. I will take a look at this and fix it again. Thanks for the notice!

  2. Thomas says:

    Hi,
    replace the single tick with the one on your keyboard above the #.
    If copied from a browser window to a unix shell these ticks are mangled – old problem :-)
    Another good spamprotection strategy looks like:

    smtpd_recipient_restrictions =
    permit_sasl_authenticated,
    permit_mynetworks,
    reject_invalid_hostname,
    reject_non_fqdn_hostname,
    reject_non_fqdn_sender,
    reject_non_fqdn_recipient,
    reject_unknown_sender_domain,
    reject_unknown_recipient_domain,
    reject_unauth_pipelining,
    reject_unauth_destination,
    reject_rbl_client zen.spamhaus.org
    smtpd_helo_restrictions =
    permit_sasl_authenticated,
    permit_mynetworks,
    reject_unauth_destination,
    reject_non_fqdn_sender,
    reject_non_fqdn_recipient,
    reject_unknown_recipient_domain,
    reject_non_fqdn_hostname,
    reject_invalid_hostname,
    reject_rbl_client zen.spamhaus.org,
    reject_unauth_pipelining

  3. Jeff says:

    Seems that rbi-clients can be added now by the panel itself under server-config and then mail. To avoid double checks, it’s probably better to discard:

    reject_rbl_client cbl.abuseat.org,reject_rbl_client dul.dnsbl.sorbs.net,reject_rbl_client ix.dnsbl.manitu.net

    Another question though… why didn’t you include spamhaus.org? Any reason for this?

Leave a Reply