Backscatter Rejection

Backscatter is email traffic, usually spam, that is generated by a legit email server in the form of bounced email messages. Even if you run a decently configured email server, backscatter will be a problem, specially for email servers that have a large bouncing surface attack like mailing lists.

Backscatter will get your IP to be blacklisted if the spam you unknowingly generate gets caught in a spam blacklist honeypot.

Note: These tweaks on this page are quite aggressive and may reject emails from legit misconfigured email servers. We are OK with the collateral damage given the headache it is to deal with for a server dedicated to mailing lists. You might want to adjust or use these carefully if that's for a regular email server.

Postfix tweaks
smtpd_delay_reject = yes smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, permit smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, warn_if_reject reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining smtpd_recipient_restrictions = permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_reverse_client_hostname, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_sender_domain, reject_non_fqdn_recipient, reject_unauth_pipelining, reject_unknown_recipient_domain, check_policy_service unix:private/policy-spf  # you need third party software, see below permit_mynetworks, reject_unauth_destination
 * The following entries can be added or adapted to an existing  Postfix config file.

apt install postfix-policyd-spf-python policy-spf unix  -       n       n       -       -       spawn user=nobody argv=/usr/bin/policyd-spf
 * For SPF policy check:
 * And then add the following at the end of your :
 * 1) SPF check