Backscatter Rejection: Difference between revisions

From Run Your Own
Jump to navigation Jump to search
No edit summary
No edit summary
Line 32: Line 32:
  policy-spf  unix  -      n      n      -      -      spawn
  policy-spf  unix  -      n      n      -      -      spawn
   user=nobody argv=/usr/bin/policyd-spf
   user=nobody argv=/usr/bin/policyd-spf
[[Category:email]]

Revision as of 17:40, 21 May 2018

Backscatter is email traffic, usually spam, that is generated by a legit email server in the form of bounced email messages. Even if you run a decently configured email server, backscatter will be a problem, specially for email servers that have a large bouncing surface attack like mailing lists.

Backscatter will get your IP to be blacklisted if the spam you unknowingly generate gets caught in a spam blacklist honeypot.

Postfix tweaks

  • The following entries can be added or adapted to an existing /etc/postfix/main.cf Postfix config file:
smtpd_sender_restrictions =
  permit_sasl_authenticated, permit_mynetworks,
  warn_if_reject reject_non_fqdn_sender,
  reject_unknown_sender_domain,
  reject_unauth_pipelining

smtpd_recipient_restrictions =
  permit_sasl_authenticated,
  reject_non_fqdn_sender,
  reject_unknown_reverse_client_hostname,
  reject_invalid_helo_hostname,
  reject_non_fqdn_helo_hostname,
  reject_unknown_sender_domain,
  reject_non_fqdn_recipient,
  reject_unauth_pipelining,
  reject_unknown_recipient_domain,
  check_policy_service unix:private/policy-spf   # you need third party software, see below
  permit_mynetworks,
  reject_unauth_destination
  • For SPF policy check:
apt install postfix-policyd-spf-python
  • And then add the following at the end of your /etc/postfix/master.cf:
# SPF check
policy-spf  unix  -       n       n       -       -       spawn
  user=nobody argv=/usr/bin/policyd-spf
Retrieved from "https://things.bleu255.com/runyourown/index.php?title=Backscatter_Rejection&oldid=63"