Hardening Postfix

Submitted by abitowhit on Thu, 12/05/2019 - 19:07

Forums:

eMail can be a blessing as well as a curse. Within minutes of opening port 25, like ants to a piece of candy on the ground, they will come....spam in it's most grandiose form. To me, spam is the "pink eye" of the internet and at this stage of the internet game, I don't really see many people falling for it's outlandish tactics. There are a few things you can do to pop some of these smtp (simple mail transfer protocol) blackheads before they turn into a nasty pimple in your In-Box. Here are a few entries you can add to your postfix configuration to help minimize these pink eyed zombies. sudo nano /etc/postfix/main.cf # Add a non-descript banner. No need for smtp connections to know who you are. You can make it as threatening as you like.. use the force smtpd_banner = Authorized use only. biff = no # Require the correct helo commands and rfc conventions smtpd_helo_required = yes strict_rfc821_envelopes = yes disable_vrfy_command = yes # set up some reject codes unknown_address_reject_code = 554 unknown_hostname_reject_code = 554 unknown_client_reject_code = 554 # perform a reverse lookup on the connections. smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_reverse_client_hostname The last config entry seemed to really reduce spam. Figuring that the majority of these bots are just randomly generated or compromised machines, there is (purposefully) no real registration that they are valid. If you check your mail logs sudo nano /var/logs/mail.log you will see these being dropped. postfix/smtpd[5283]: NOQUEUE: reject: RCPT from unknown[%remote_ip%]: 554 5.7.1 Client host rejected: cannot find your reverse hostname,disconnect from unknown If you look at the log event, the connecting machine had no reverse lookup in DNS... denied. No ticky, no laundry! Now you cannot stop every attempt to send you worthless emails, you will be surprised on how just a few settings can make a difference. Keep in mind however that performing a reverse lookup will in turn mean a few more network packets per mail transaction.