Postfix/Miscellaneous anti-spam measures

This page lists miscellaneous anti-spam measures that can help prevent unwanted inbound mail to your postfix server.

HELO/EHLO spoofing countermeasure
First create the following file, where the IP addresses and domain names in the first three lines represent those of your own server.

We then add a  entry to the   directive in , as follows.

To put this in to action, reload postfix's configuration as follows.

Ban obviously dangerous attachment file extensions
If you are looking after windows users, you may wish to reject certain attachment file extensions.

You will then need to tell Postfix to process this file.

To put this in to action, reload postfix's configuration as follows.

Reducing information leaks
With default settings, smartly written spam bots might just figure out which policy they are running up against when they attempt to send mail and are rejected. The suggestion is therefore to change rejection codes to a single, generic code in order to confuse such bots. What impact this has on legitimate clients is something you will have to test out... apparently some people use it and it works.

To put this in to action, reload postfix's configuration as follows.

Enforce complete SMTP implementations
These checks are basic but help to weed out spam bots that have been written poorly and do not confirm to RFCs, as well as spam bots that attempt to enumerate local addresses via the SMTP  command.

To put this in to action, reload postfix's configuration as follows.

Ban failed authentication attempts
If you are using SASL to authenticate clients on whose behalf you wish to relay mail, then it is strongly recommended that you install a system such as Fail2ban that will prohibit brute force username/password enumeration. In addition, you should ensure that your password policy requires hard to guess passwords (not dictionary words, special characters included, decent minimum length, etc.)