Difference between revisions of "Backscatter Rejection"

From Run Your Own
Jump to: navigation, search
(Postfix tweaks)
(Postfix tweaks)
 
Line 14: Line 14:
 
     reject_invalid_helo_hostname,
 
     reject_invalid_helo_hostname,
 
     permit
 
     permit
 
+
 
  smtpd_sender_restrictions =
 
  smtpd_sender_restrictions =
 
   permit_sasl_authenticated, permit_mynetworks,
 
   permit_sasl_authenticated, permit_mynetworks,

Latest revision as of 10:31, 30 May 2018

Backscatter is email traffic, usually spam, that is generated by a legit email server in the form of bounced email messages. Even if you run a decently configured email server, backscatter will be a problem, specially for email servers that have a large bouncing surface attack like mailing lists.

Backscatter will get your IP to be blacklisted if the spam you unknowingly generate gets caught in a spam blacklist honeypot.

Note: These tweaks on this page are quite aggressive and may reject emails from legit misconfigured email servers. We are OK with the collateral damage given the headache it is to deal with for a server dedicated to mailing lists. You might want to adjust or use these carefully if that's for a regular email server.

Postfix tweaks

  • The following entries can be added or adapted to an existing /etc/postfix/main.cf Postfix config file.
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions =
   permit_mynetworks,
   reject_non_fqdn_helo_hostname,
   reject_invalid_helo_hostname,
   permit

smtpd_sender_restrictions =
  permit_sasl_authenticated, permit_mynetworks,
  warn_if_reject reject_non_fqdn_sender,
  reject_unknown_sender_domain,
  reject_unauth_pipelining

smtpd_recipient_restrictions =
  permit_sasl_authenticated,
  reject_non_fqdn_sender,
  reject_unknown_reverse_client_hostname,
  reject_invalid_helo_hostname,
  reject_non_fqdn_helo_hostname,
  reject_unknown_sender_domain,
  reject_non_fqdn_recipient,
  reject_unauth_pipelining,
  reject_unknown_recipient_domain,
  check_policy_service unix:private/policy-spf   # you need third party software, see below
  permit_mynetworks,
  reject_unauth_destination
  • For SPF policy check:
apt install postfix-policyd-spf-python
  • And then add the following at the end of your /etc/postfix/master.cf:
# SPF check
policy-spf  unix  -       n       n       -       -       spawn
  user=nobody argv=/usr/bin/policyd-spf