Backscatter Rejection: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
Line 4: | Line 4: | ||
== Postfix tweaks == | == Postfix tweaks == | ||
The following entries can be added or adapted to an existing <code>/etc/postfix/main.cf</code> Postfix config file: | * The following entries can be added or adapted to an existing <code>/etc/postfix/main.cf</code> Postfix config file: | ||
smtpd_sender_restrictions = | smtpd_sender_restrictions = | ||
Line 22: | Line 22: | ||
reject_unauth_pipelining, | reject_unauth_pipelining, | ||
reject_unknown_recipient_domain, | reject_unknown_recipient_domain, | ||
check_policy_service unix:private/policy-spf | check_policy_service unix:private/policy-spf # you need third party software, see below | ||
permit_mynetworks, | permit_mynetworks, | ||
reject_unauth_destination | reject_unauth_destination | ||
* For SPF policy check: | |||
apt install postfix-policyd-spf-python | |||
* And then add the following at the end of your <code>/etc/postfix/master.cf</code>: | |||
# SPF check | |||
policy-spf unix - n n - - spawn | |||
user=nobody argv=/usr/bin/policyd-spf |
Revision as of 17:40, 21 May 2018
Backscatter is email traffic, usually spam, that is generated by a legit email server in the form of bounced email messages. Even if you run a decently configured email server, backscatter will be a problem, specially for email servers that have a large bouncing surface attack like mailing lists.
Backscatter will get your IP to be blacklisted if the spam you unknowingly generate gets caught in a spam blacklist honeypot.
Postfix tweaks
- The following entries can be added or adapted to an existing
/etc/postfix/main.cf
Postfix config file:
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, warn_if_reject reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining smtpd_recipient_restrictions = permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_reverse_client_hostname, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_sender_domain, reject_non_fqdn_recipient, reject_unauth_pipelining, reject_unknown_recipient_domain, check_policy_service unix:private/policy-spf # you need third party software, see below permit_mynetworks, reject_unauth_destination
- For SPF policy check:
apt install postfix-policyd-spf-python
- And then add the following at the end of your
/etc/postfix/master.cf
:
# SPF check policy-spf unix - n n - - spawn user=nobody argv=/usr/bin/policyd-spf