Backscatter is email traffic, usually spam, that is generated by a legit email server in the form of bounced email messages. Even if you run a decently configured email server, backscatter will be a problem, specially for email servers that have a large bouncing surface attack like mailing lists.
Backscatter will get your IP to be blacklisted if the spam you unknowingly generate gets caught in a spam blacklist honeypot.
Note: These tweaks on this page are quite aggressive and may reject emails from legit misconfigured email servers. We are OK with the collateral damage given the headache it is to deal with for a server dedicated to mailing lists. You might want to adjust or use these carefully if that's for a regular email server.
- The following entries can be added or adapted to an existing
/etc/postfix/main.cfPostfix config file.
smtpd_delay_reject = yes smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, permit smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, warn_if_reject reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining smtpd_recipient_restrictions = permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_reverse_client_hostname, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_sender_domain, reject_non_fqdn_recipient, reject_unauth_pipelining, reject_unknown_recipient_domain, check_policy_service unix:private/policy-spf # you need third party software, see below permit_mynetworks, reject_unauth_destination
- For SPF policy check:
apt install postfix-policyd-spf-python
- And then add the following at the end of your
# SPF check policy-spf unix - n n - - spawn user=nobody argv=/usr/bin/policyd-spf