The command below enables a stricter SPAM handling for postfix on ISPConfig 3 servers.

In Detail:

  • Reject sender hostnames with invalid syntax
  • Reject sender hostnames that are no fully qualified domains (e.g. reject "server1" but allow server1.domain.tld)
  • Reject sender domains that have no DNS records
  • Check sender IP addresses against realtime blacklists.

First make a backup of the postfix main.cf file in case that you want to reverse the changes later:

cp -pf /etc/postfix/main.cf /etc/postfix/main.cf.bak

Then execute this command to enable the additional spam protection functions (the command is one line!).

postconf -e 'smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_hostname, reject_non_fqdn_hostname, reject_unknown_recipient_domain, reject_non_fqdn_recipient, reject_unauth_destination, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_rbl_client cbl.abuseat.org,reject_rbl_client dul.dnsbl.sorbs.net,reject_rbl_client ix.dnsbl.manitu.net, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination'

Then restart postfix:

/etc/init.d/postfix restart

Enhanced e-mail SPAM protection in ISPConfig 3
Tagged on:     

10 thoughts on “Enhanced e-mail SPAM protection in ISPConfig 3

  • kyle
    Permalink

    postconf: fatal: missing ‘=’ after attribute name: “???smtpd_recipient_restrictions”

    Comes up when trying above command.

    Reply
    • TillPost author
      Permalink

      This is one command. Please copy the command and execute it on the shell (e.g. with a ssh client like putty) as one single line.

      Reply
      • hubere
        Permalink

        Hi Till,

        I received the same error message. I changed the apostrophe chars from ‘ to ‘ and it was fine

        greets
        Erik

        Reply
        • TillPost author
          Permalink

          Hi, thats a problem with our cms system here that changes the apostrophe. I had fixed that some time ago but it seems that a update reintroduced that problem. I will take a look at this and fix it again. Thanks for the notice!

          Reply
  • Thomas
    Permalink

    Hi,
    replace the single tick with the one on your keyboard above the #.
    If copied from a browser window to a unix shell these ticks are mangled – old problem 🙂
    Another good spamprotection strategy looks like:

    smtpd_recipient_restrictions =
    permit_sasl_authenticated,
    permit_mynetworks,
    reject_invalid_hostname,
    reject_non_fqdn_hostname,
    reject_non_fqdn_sender,
    reject_non_fqdn_recipient,
    reject_unknown_sender_domain,
    reject_unknown_recipient_domain,
    reject_unauth_pipelining,
    reject_unauth_destination,
    reject_rbl_client zen.spamhaus.org
    smtpd_helo_restrictions =
    permit_sasl_authenticated,
    permit_mynetworks,
    reject_unauth_destination,
    reject_non_fqdn_sender,
    reject_non_fqdn_recipient,
    reject_unknown_recipient_domain,
    reject_non_fqdn_hostname,
    reject_invalid_hostname,
    reject_rbl_client zen.spamhaus.org,
    reject_unauth_pipelining

    Reply
  • Jeff
    Permalink

    Seems that rbi-clients can be added now by the panel itself under server-config and then mail. To avoid double checks, it’s probably better to discard:

    reject_rbl_client cbl.abuseat.org,reject_rbl_client dul.dnsbl.sorbs.net,reject_rbl_client ix.dnsbl.manitu.net

    Another question though… why didn’t you include spamhaus.org? Any reason for this?

    Reply
  • brnad
    Permalink

    Excellent

    I had problem with spam, but after adding this command into postfix configuration, spam is rejected 🙂
    this should be default config for ispconfig and/or postfix

    tnx Till

    Reply
  • phil
    Permalink

    I did this but I am still getting known connections from the ip address why?

    Then execute this command to enable the additional spam protection functions (the command is one line!).

    postconf -e ‘smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_hostname, reject_non_fqdn_hostname, reject_unknown_recipient_domain, reject_non_fqdn_recipient, reject_unauth_destination, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_rbl_client cbl.abuseat.org,reject_rbl_client dul.dnsbl.sorbs.net,reject_rbl_client ix.dnsbl.manitu.net, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination’

    Then restart postfix:

    Reply
  • Tapio Lehtonen
    Permalink

    There are no dates on the FAQ entries and no dates in the comments. I’m pondering if the FAQ is still relevant. For example this entry has a comment about present ISPConfig having a setting for using RTBL in the panel, so maybe that is an easier way to do this?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

CAPTCHA

*