The command below enables a stricter SPAM handling for postfix on ISPConfig 3 servers.
In Detail:
- Reject sender hostnames with invalid syntax
- Reject sender hostnames that are no fully qualified domains (e.g. reject "server1" but allow server1.domain.tld)
- Reject sender domains that have no DNS records
- Check sender IP addresses against realtime blacklists.
First make a backup of the postfix main.cf file in case that you want to reverse the changes later:
cp -pf /etc/postfix/main.cf /etc/postfix/main.cf.bak
Then execute this command to enable the additional spam protection functions (the command is one line!).
postconf -e 'smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_hostname, reject_non_fqdn_hostname, reject_unknown_recipient_domain, reject_non_fqdn_recipient, reject_unauth_destination, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_rbl_client cbl.abuseat.org,reject_rbl_client dul.dnsbl.sorbs.net,reject_rbl_client ix.dnsbl.manitu.net, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination'
Then restart postfix:
/etc/init.d/postfix restart
postconf: fatal: missing ‘=’ after attribute name: “???smtpd_recipient_restrictions”
Comes up when trying above command.
This is one command. Please copy the command and execute it on the shell (e.g. with a ssh client like putty) as one single line.
Hi Till,
I received the same error message. I changed the apostrophe chars from ‘ to ‘ and it was fine
greets
Erik
Hi, thats a problem with our cms system here that changes the apostrophe. I had fixed that some time ago but it seems that a update reintroduced that problem. I will take a look at this and fix it again. Thanks for the notice!
Hi,
replace the single tick with the one on your keyboard above the #.
If copied from a browser window to a unix shell these ticks are mangled – old problem 🙂
Another good spamprotection strategy looks like:
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unauth_pipelining,
reject_unauth_destination,
reject_rbl_client zen.spamhaus.org
smtpd_helo_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_non_fqdn_hostname,
reject_invalid_hostname,
reject_rbl_client zen.spamhaus.org,
reject_unauth_pipelining
Seems that rbi-clients can be added now by the panel itself under server-config and then mail. To avoid double checks, it’s probably better to discard:
reject_rbl_client cbl.abuseat.org,reject_rbl_client dul.dnsbl.sorbs.net,reject_rbl_client ix.dnsbl.manitu.net
Another question though… why didn’t you include spamhaus.org? Any reason for this?
This tweak works with this other tweak: http://www.faqforge.com/linux/controlpanels/ispconfig3/how-to-disable-spamfilter-and-antivirus-functions-in-ispconfig-3/ ?
Thanks.
Excellent
I had problem with spam, but after adding this command into postfix configuration, spam is rejected 🙂
this should be default config for ispconfig and/or postfix
tnx Till
I did this but I am still getting known connections from the ip address why?
Then execute this command to enable the additional spam protection functions (the command is one line!).
postconf -e ‘smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_hostname, reject_non_fqdn_hostname, reject_unknown_recipient_domain, reject_non_fqdn_recipient, reject_unauth_destination, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_rbl_client cbl.abuseat.org,reject_rbl_client dul.dnsbl.sorbs.net,reject_rbl_client ix.dnsbl.manitu.net, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination’
Then restart postfix:
There are no dates on the FAQ entries and no dates in the comments. I’m pondering if the FAQ is still relevant. For example this entry has a comment about present ISPConfig having a setting for using RTBL in the panel, so maybe that is an easier way to do this?