Postfix/Miscellaneous anti-spam measures

From Gentoo Wiki
Jump to: navigation, search

This page lists miscellaneous anti-spam measures that can help prevent unwanted inbound mail to your postfix server.

HELO/EHLO spoofing countermeasure

Note
The following technique was altered from Howtoforge.

First create the following file, where the IP addresses and domain names in the first three lines represent those of your own server.

FILE /etc/postfix/helo.regexpDefine abnormal HELO/EHLO patterns
/^myhost\.mydomain\.tld$/          550 Rejected
/^xxx\.yyy\.zzz\.xxx$/             550 Rejected
/^\[xxx\.yyy\.zzz\.xxx\]$/         550 Rejected
/^[0-9.]+$/                        550 Rejected
/^[0-9]+(\.[0-9]+){3}$/            550 Rejected

We then add a regexp:/etc/postfix/helo.regexp entry to the smtpd_helo_restrictions directive in main.cf, as follows.

FILE /etc/postfix/main.cfEnforce HELO or EHLO formats
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, regexp:/etc/postfix/helo.regexp, permit

To put this in to action, reload postfix's configuration as follows.

root #/etc/init.d/postfix reload

Ban obviously dangerous attachment file extensions

Note
This technique was lifted from Debian Administration.

If you are looking after windows users, you may wish to reject certain attachment file extensions.

Note
The following example includes zip files, this is something you may wish to remove.
FILE /etc/postfix/mime_header_checks.regexpDefine dangerous attachment file extensions
/filename=\"?(.*)\.(bat|chm|cmd|com|cpl|do|exe|hta|jse|rm|scr|pif|vbe|vbs|vxd|xl|zip)\"?$/
   REJECT Attachment type banned.
/^\s*Content-(Disposition|Type).*name\s*=\s*"?(.+\.(lnk|cpl|asd|hlp|ocx|reg|bat|c[ho]m|cmd|exe|dll|vxd|pif|scr|hta|jse?|sh[mbs]|vb[esx]|ws[fh]|wav|mov|wmf|xl))"?\s*$/
      REJECT File "$2" attachment type "$3" banned.
Note
The list above probably needs updating; Windows no doubt has even more dangerously executable extensions these days. If you find any new ones, please contribute them here.

You will then need to tell Postfix to process this file.

FILE /etc/postfix/main.cfBan dangerous attachment file extensions
mime_header_checks = regexp:/etc/postfix/mime_header_checks.regexp

To put this in to action, reload postfix's configuration as follows.

root #/etc/init.d/postfix reload

Reducing information leaks

Note
The following technique was lifted from Howtoforge.

With default settings, smartly written spam bots might just figure out which policy they are running up against when they attempt to send mail and are rejected. The suggestion is therefore to change rejection codes to a single, generic code in order to confuse such bots. What impact this has on legitimate clients is something you will have to test out... apparently some people use it and it works.

FILE /etc/postfix/main.cfGenericize SMTP rejection
invalid_hostname_reject_code = 554
multi_recipient_bounce_reject_code = 554
non_fqdn_reject_code = 554
relay_domains_reject_code = 554
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unknown_sender_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_sender_reject_code = 554

To put this in to action, reload postfix's configuration as follows.

root #/etc/init.d/postfix reload

Enforce complete SMTP implementations

These checks are basic but help to weed out spam bots that have been written poorly and do not confirm to RFCs, as well as spam bots that attempt to enumerate local addresses via the SMTP VRFY command.

FILE /etc/postfix/main.cfEnforce complete SMTP implementations
smtpd_helo_required = yes
disable_vrfy_command = yes
strict_rfc821_envelopes = yes

To put this in to action, reload postfix's configuration as follows.

root #/etc/init.d/postfix reload

Ban failed authentication attempts

If you are using SASL to authenticate clients on whose behalf you wish to relay mail, then it is strongly recommende that you install a system such as Fail2ban that will prohibit brute force username/password enumeration. In addition, you should ensure that your password policy requires hard to guess passwords (not dictionary words, special characters included, decent minimum length, etc.)