I am writing this forum post under the Dedicated Hosting forum because we generally do not recommend hosting e-mail accounts on cloud servers.
We all know that spam is a significant problem on mail servers. System administrators work daily, tweaking their configurations to help stop the flow of new variants of spam. Below are some simple configuration changes that can be implemented on a Postfix install to help stop some of the flow of spam to your mailboxes.
Enabling RBL's:This is a quick and easy way to stop as much as 50% of your spam traffic. RBL's (Real-time Blackhole Lists) are basically a list of IP's of known spammers, and these lists are generally free to use. You can configure Postfix to check the IP address of the incoming message against one or more RBL's. If the IP is a match, then your server will not even permit the message sender to transmit a message. These RBL's are configured under the smtpd_recipient_restrictions parameter in the main Postfix configuration file (usually /etc/postfix/main.cf). Here is an example of a Postfix configuration that uses six different RBL's:
Once this configuration has been implemented, you will know that the configuration is working on your mail server because you will start seeing entries in your mail logs similar to the following:
Dec 17 15:58:24 mailserver postfix/smtpd: NOQUEUE: reject: RCPT from unknown[126.96.36.199]: 554 5.7.1 Service unavailable; Client host [188.8.131.52] blocked using zen.spamhaus.org
; http://www.spamhaus.org/sbl/query/SBLCSS / http://www.spamhaus.org/query/bl?ip=184.108.40.206; from=<firstname.lastname@example.org> to=<email@example.com> proto=ESMTP helo=<hse53.lif
Now if you receive 2000 spam messages a day to a particular mailbox, and this method only blocks up to 50% of these messages, you may be wondering if enabling RBL's is even worth the effort. Note that RBL's are usually used in conjunction with other spam fighting techniques, such as SpamAssasin. Since SpamAssassin can be very CPU intensive, stopping up to 50% of this mail traffic may save valuable CPU resources on your mail server.
In addition to RBL's, you can help prevent your server from relaying and receiving spam by adding some of the following configuration options under the smtpd_recipient_restrictions parameter:
reject_invalid_hostname - Reject the request when the HELO or EHLO hostname is malformed. This can potentially prevent poorly programed bots from sending spam to your server.
reject_unknown_recipient_domain - Reject the request when Postfix is not final destination for the recipient domain. This can prevent your server from being used as an open relay.
reject_unauth_pipelining - Reject the request when the client sends SMTP commands ahead of time where it is not allowed. This stops mail from bulk mail software that improperly uses ESMTP command pipelining in order to speed up deliveries.
reject_unauth_destination - This is similar to reject_unknown_recipient_domain, but this includes two conditions, one of which must be met, in order for Postfix to accept the message: 1) Postfix is mail forwarder for the domain (as defined in the relay_domains parameter) -or- 2) Postfix is the final destination for the domain
Of course there may be certain IP's or entire networks that you do not want to be filtered out from your mail server. In this case, you can add the permit_mynetworks option under smtpd_recipient_restrictions to whitelist these IP's. You will also want to ensure that these networks have been defined under the my_networks parameter earlier in the configuration file.
So given the above recommendations, here is an example of an smtpd_recipient_restrictions parameter in the main Postfix configuration file using all of the above configuration options:
You may also require additional configuration parameters under smtpd_recipient_restrictions, and you can simply add them to this list before the permit option at the end.
Note that these recommended changes to Postfix are by no means a complete solution for fighting spam. I believe that this configuration alone may be effective for stopping up to 50% of spam, but you will need additional configuration changes and software (such as SpamAssassin) for blocking additional spam traffic. There is a good Wiki on the CentOS website that shows how to install SpamAssassin along with Amavis and ClamAV (http://wiki.centos.org/HowTos/Amavisd). This article should work for RedHat based distributions.
I hope this information is useful, and I would welcome any additional recommendations to this forum post.
The Rackspace Community (“Community”) is provided “AS IS” without warranty of any kind. The information on the Community sites is created by members of the Community and is intended for reference and general discussions only. Although some of the content may contain information provided by Rackspace employees, it does not represent an assessment of a particular customer environment or an assessment of any specific compliance with laws or regulations or constitute advice. We recommend that you engage additional expertise in order to further evaluate applicable requirements for your specific environment. For customer specific support issues please contact your Rackspace Support Team.READ MORE
RACKSPACE MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, AS TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THE RACKSPACE OPEN CLOUD COMMUNITY SITE. RACKSPACE RESERVES THE RIGHT TO DISCONTINUE OR MAKE CHANGES TO ITS SERVICES OFFERINGS AND SPECIFICATIONS AT ANY TIME WITHOUT NOTICE. USERS MUST TAKE FULL RESPONSIBILITY FOR APPLICATION OF ANY SERVICES AND/OR PROCESSES MENTIONED IN ANY COMMUNITY DISCUSSIONS. EXCEPT AS SET FORTH IN RACKSPACE GENERAL TERMS AND CONDITIONS, CLOUD TERMS OF SERVICE AND/OR OTHER AGREEMENT YOU SIGN WITH RACKSPACE, RACKSPACE ASSUMES NO LIABILITY WHATSOEVER, AND DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO ITS SERVICES INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT.
ALTHOUGH PART OF THE COMMUNITY GENERATED CONTENT MAY EXPLAIN HOW RACKSPACE SERVICES MAY WORK WITH THIRD PARTY PRODUCTS, THE INFORMATION CONTAINED IN THE COMMUNITY DISCUSSIONS IS NOT DESIGNED TO WORK WITH ALL SCENARIOS. ANY USE OR CHANGES TO THIRD PARTY PRODUCTS AND/OR CONFIGURATIONS SHOULD BE MADE AT THE DISCRETION OF YOUR ADMINISTRATORS AND SUBJECT TO THE APPLICABLE TERMS AND CONDITIONS OF SUCH THIRD PARTY. EVEN THOUGH RACKSPACE EMPLOYEES MAY PARTICIPATE IN THE COMMUNITY DISCUSSIONS, RACKSPACE DOES NOT PROVIDE TECHNICAL SUPPORT FOR THIRD PARTY PRODUCTS, OTHER THAN SPECIFIED IN YOUR HOSTING SERVICES AGREEMENT YOU HAVE SIGNED WITH RACKSPACE AND RACKSPACE ACCEPTS NO RESPONSIBILITY FOR THIRD-PARTY PRODUCTS.READ LESS