add more client restrictions to postfix

Added destination blacklisting using .deny files in aliases.d
removed recipient restrictions (if we want them, will add with spamassassin)
2 changed files with 24 additions and 7 deletions
--- a/mailsrv/assets/bin/mkvirt
+++ b/mailsrv/assets/bin/mkvirt
@ -15,10 +15,13 @@ cat /vol/data/users | cut -d':' -f1 | perl -pe 's/(.*)/\1 ./' > /etc/postfix/use
 postmap /etc/postfix/users

 ### Aliases ###
-# copy aliases to postifx config
+# copy aliases to postfix config
 cd /etc/postfix
 cat /vol/data/aliases.d/*.list > aliases
 postmap aliases
+# copy blacklist to postfix config
+cat /vol/data/aliases.d/*.deny > deny
+postmap deny

 ### Reload ###
 postfix reload
--- a/mailsrv/assets/postfix/main.cf.part
+++ b/mailsrv/assets/postfix/main.cf.part
@ -51,20 +51,34 @@ smtpd_sasl_type = dovecot
 smtpd_sasl_path = private/auth
 # and the common settings to enable SASL:
 smtpd_sasl_auth_enable = yes
+
+### Security ###
 # these settings apply to BOTH authenticated and unauthenticated mail
 # for security settings for only authenticated mail, use options in master.cf
 smtpd_delay_reject = yes
 smtpd_helo_required = yes
-# reject hosts with malformed identifiers
-smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_reverse_client_hostname
+# reject hosts with malformed HELO identifiers
+smtpd_helo_restrictions = 
+        permit_mynetworks, 
+        permit_sasl_authenticated, 
+        reject_invalid_helo_hostname, 
+        reject_non_fqdn_helo_hostname, 
+        reject_unknown_helo_hostname
 # reject hosts that improperly use SMTP commands
 smtpd_data_restrictions = reject_unauth_pipelining
 # reject unauthorized relay attempts
 smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
-# reject mail from IPs listed in spam list
-smtpd_recipient_restrictions =
-        permit_mynetworks,
-        permit_sasl_authenticated,
+# reject blacklisted addresses
+smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/deny, permit
+# reject hosts that are likely to be spammers
+smtpd_client_restrictions = 
+        permit_mynetworks, 
+        permit_sasl_authenticated, 
+        reject_unknown_client_hostname, 
+# weaker version of reject_unknown_client_hostname
+# the strong version may cause problems with some legitimate senders (eg, Verizon)
+#        reject_unknown_reverse_client_hostname, 
+# reject clients from lists of known spammers
 #        reject_rbl_client zen.spamhaus.org,
 #        reject_rhsbl_reverse_client dbl.spamhaus.org,
 #        reject_rhsbl_helo dbl.spamhaus.org,
Author	SHA1	Message	Date
Mar Alegre	b00c608744	add more client restrictions to postfix	1 year ago
Mar Alegre	a3f4698d4f	Added destination blacklisting using .deny files in aliases.d	4 years ago
Mar Alegre	6d3189afd1	removed recipient restrictions (if we want them, will add with spamassassin)	4 years ago