* postfix filtering * 20030820 postfix is a mail (smtp) server. For more information about postfix, see: http://www.postfix.org/ http://www.postfix.org/uce.html postfix is installed with packages postfix (also postfix-doc, postfix-ldap, and postfix-pcre). The main config files are /etc/postfix/main.cf (included in the config file section of this document) and /etc/postfix/master.cf (modified for RAV). postfix is reloaded with '/etc/init.d/postfix reload' (restart not required) and logs to /var/log/mail.log. Email can be heavily filtered to reduce the number of spam messages and viruses which are delivered. For example, mail may take the following path to delivery: 1) relay attempts are rejected (unless excepted by pop-before-smtp) 2) attempts to send email to postmaster, abuse, or spam are accepted 3) attempts to send email to non-existent addresses are rejected 4) attempts to send email from locally blacklisted helo, sender addresses, and client IPs are rejected 5) attempts from clients with invalid DNS or SMTP behavior (pipelining, forged helo) are rejected 6) attempts from DNSBL blacklisted clients are blocked (unless whitelisted) 7) messages are blocked by header and body content 8) messages are passed to RAV for virus checking and then reinjected 9) messages are passed to procmail which runs messages through spamassassin and delivers them to user maildirs Many block rules are Perl-compatible regular expressions (PCREs). Here are a few sample PCREs; for more information about PCREs, 'man pcre' or take a look through the checks files (some of which contain useful comments at the beginning). Writing WARN rules (in the files where they are allowed, namely header_checks, body_checks, and test_*_checks) before writing REJECT rules is recommended. Additionally, do not write rules unless you understand how PCREs (or some similar ilk of regular expressions) work. /^abuse@.*simons-rock\.edu/ OK /^10\.0\.2\.15(\D|$)/ REJECT mail from the IP 10.0.2.15 /^Subject:.*V(I|1)AGRA/ REJECT viagra, v1agra, VIAGRA, ViAgRa, etc. /^From: hahaha@sexyfun\.net/ REJECT snowhite virus /(.*){5}/ REJECT bogus html comment obfuscation /THIS IS NOT SPAM/i REJECT case-sensitive match /double opt(-| )?in/ REJECT opt-in, opt in, optin /http:\/\/S*\.biz\// WARN .biz URL might be spam Always 'tail /var/log/mail.warn' after writing new rules to check for errors. I have used the following DNSBLs (when operational): sbl.spamhaus.org spews.relays.osirusoft.com cbl.abuseat.org proxies.blackholes.easynet.nl proxies.relays.monkeys.ocom relays.ordb.org opm.blitzed.org To remove a DNSBL (for instance, if it is under DDoS), remove (do not comment out!) the appropriate line in /etc/postfix/main.cf and run '/etc/init.d/postfix reload'. /var/log/mail.log can be used for identifying rejected messages ('grep reject') and warnings ('grep warning'). A number of scripts have been written to aid in the parsing of log files, including _pflog-weekly (requires pflogsumm) and _spamcounter, both of which run from cron. It is important to pay attention to the mail logs so as to prevent filtering false positives. If a false positive is reported, check /var/log/mail.log to determine the reason the message was rejected. If it was blocked using a DNSBL, whitelist it by adding an exception (by IP, host name, or domain) to /etc/postfix/rbl_client_exceptions. Other reject reasons may contain the word 'body' or 'header', in which case the rules to modify are in body_checks and header_checks respectively. Other rules may be in the other _checks files. grep for the reject reason in the appropriate file, and then identify the line which apepars to correspond with the specific block. (For example, 'grep "Misc Spam" /etc/postfix/body_checks'.)