From 3e1d81910dca7ddcfaf4307503a2535a5e4fff1b Mon Sep 17 00:00:00 2001
From: Mar Alegre <mar@mar.alemor.org>
Date: Sun, 28 Apr 2024 19:33:26 -0400
Subject: [PATCH] add more client restrictions to postfix

---
 mailsrv/assets/postfix/main.cf.part | 25 +++++++++++++++++++++++--
 1 file changed, 23 insertions(+), 2 deletions(-)

diff --git a/mailsrv/assets/postfix/main.cf.part b/mailsrv/assets/postfix/main.cf.part
index 82e6522..4648cc4 100644
--- a/mailsrv/assets/postfix/main.cf.part
+++ b/mailsrv/assets/postfix/main.cf.part
@@ -51,18 +51,39 @@ smtpd_sasl_type = dovecot
 smtpd_sasl_path = private/auth
 # and the common settings to enable SASL:
 smtpd_sasl_auth_enable = yes
+
+### Security ###
 # these settings apply to BOTH authenticated and unauthenticated mail
 # for security settings for only authenticated mail, use options in master.cf
 smtpd_delay_reject = yes
 smtpd_helo_required = yes
-# reject hosts with malformed identifiers
-smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_reverse_client_hostname
+# reject hosts with malformed HELO identifiers
+smtpd_helo_restrictions = 
+        permit_mynetworks, 
+        permit_sasl_authenticated, 
+        reject_invalid_helo_hostname, 
+        reject_non_fqdn_helo_hostname, 
+        reject_unknown_helo_hostname
 # reject hosts that improperly use SMTP commands
 smtpd_data_restrictions = reject_unauth_pipelining
 # reject unauthorized relay attempts
 smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
 # reject blacklisted addresses
 smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/deny, permit
+# reject hosts that are likely to be spammers
+smtpd_client_restrictions = 
+        permit_mynetworks, 
+        permit_sasl_authenticated, 
+        reject_unknown_client_hostname, 
+# weaker version of reject_unknown_client_hostname
+# the strong version may cause problems with some legitimate senders (eg, Verizon)
+#        reject_unknown_reverse_client_hostname, 
+# reject clients from lists of known spammers
+#        reject_rbl_client zen.spamhaus.org,
+#        reject_rhsbl_reverse_client dbl.spamhaus.org,
+#        reject_rhsbl_helo dbl.spamhaus.org,
+#        reject_rhsbl_sender dbl.spamhaus.org,
+        permit
 
 ### Misc ###
 # whether to send "new mail" notifications to users