Cutting down on Postfix spam relaying

Postfix, it's used with many a LAMP stack to send out messages from a site, unfortunately it's prone to relaying many spam messages out of the box.

The below code can be easily appended to Postfix's main.cf to drastically reduce the authorization hole.

On Ubuntu you'll find the file at /etc/postfix/main.cf

smtpd_helo_required = yes
 strict_rfc821_envelopes = yes
 disable_vrfy_command = yes
 unknown_address_reject_code = 554
 unknown_hostname_reject_code = 554
 unknown_client_reject_code = 554
 smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, permit
 smtpd_recipient_restrictions =
 check_client_access hash:/etc/postfix/helo_client_exceptions
 check_sender_access hash:/etc/postfix/sender_checks,
 reject_invalid_hostname,
 reject_non_fqdn_hostname,
 reject_non_fqdn_sender,
 reject_non_fqdn_recipient,
 reject_unknown_sender_domain,
 reject_unknown_recipient_domain,
 permit_mynetworks,
 reject_unauth_destination,
 reject_rbl_client cbl.abuseat.org,
 reject_rbl_client sbl-xbl.spamhaus.org,
 reject_rbl_client bl.spamcop.net,
 reject_rhsbl_sender dsn.rfc-ignorant.org,
 permit

Then restart postfix: /etc/init.d/postfix restart

A couple of other handy commands:

- Check the mail queue with mailq
- Empty the queue with postsuper -d ALL

Image credit: Flickr user "Alan Levine"

⬅️ There's more to read on the blog overview

I'm Ken Hawkins

I do web architecture, holistic design, and a bit of UX and development.
If you want to learn more about me and what I do head to the front page, or:

This site is a playground 🙈

What you're seeing was made with a combination ¹ ² of the Foundation Framework, CSS/Sass, responsive design, Gulp, Panini static site generator, Markdown and some other stuff and then hosted through Travis CI and Github pages³.

In years past I would have likely made this site with Drupal, but for smaller sites with savvy editors I've been using static site combinations to simplify maintenance.