add more client restrictions to postfix

mailsrv/assets/postfix/main.cf.part

@@ -51,18 +51,39 @@ smtpd_sasl_type = dovecot
 smtpd_sasl_path = private/auth
 # and the common settings to enable SASL:
 smtpd_sasl_auth_enable = yes
+
+### Security ###
 # these settings apply to BOTH authenticated and unauthenticated mail
 # for security settings for only authenticated mail, use options in master.cf
 smtpd_delay_reject = yes
 smtpd_helo_required = yes
-# reject hosts with malformed identifiers
+# reject hosts with malformed HELO identifiers
-smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_reverse_client_hostname
+smtpd_helo_restrictions = 
+        permit_mynetworks, 
+        permit_sasl_authenticated, 
+        reject_invalid_helo_hostname, 
+        reject_non_fqdn_helo_hostname, 
+        reject_unknown_helo_hostname
 # reject hosts that improperly use SMTP commands
 smtpd_data_restrictions = reject_unauth_pipelining
 # reject unauthorized relay attempts
 smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
 # reject blacklisted addresses
 smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/deny, permit
+# reject hosts that are likely to be spammers
+smtpd_client_restrictions = 
+        permit_mynetworks, 
+        permit_sasl_authenticated, 
+        reject_unknown_client_hostname, 
+# weaker version of reject_unknown_client_hostname
+# the strong version may cause problems with some legitimate senders (eg, Verizon)
+#        reject_unknown_reverse_client_hostname, 
+# reject clients from lists of known spammers
+#        reject_rbl_client zen.spamhaus.org,
+#        reject_rhsbl_reverse_client dbl.spamhaus.org,
+#        reject_rhsbl_helo dbl.spamhaus.org,
+#        reject_rhsbl_sender dbl.spamhaus.org,
+        permit
 
 ### Misc ###
 # whether to send "new mail" notifications to users