Hardening Postfix For ISPConfig 3

Author: Jesús Córdoba
Email: j.cordoba [at] gmx [dot] net
Forum user: pititis eval(ez_write_tag([[250,250],’howtoforge_com-box-3′,’ezslot_2′,106,’0′,’0′]));

Version: 1.2

The goal of this tutorial is to harden the mail server postfix used by ISPConfig for internet mail servers where authenticated users are trusted. With this setup you will reject a great amount of spam before it passes into your mail queue, saving a lot of system resources and making your mail server strong against spammers and spam botnets.
Let’s go.


Reverse DNS, (DNS PTR Record)

To set up rdns you will find two situations:

– Your ISP allows to you change it yourself. Take a look in your control panel.

– Your ISP doesn’t allow to you change it. Just send an email with your request.

Ask or point your rdns record to your server. i.e server.example.com
You can check your rdns with the command host:

[email protected] / #  host
  69.64- domain name pointer pub2.kernel.org.

Remember dns must propagate the changes.


SPF For Your Domain (DNS TXT Record)

SPF is an email validation system designed to prevent email spam by detecting email spoofing, a common vulnerability, by verifying sender IP addresses.

To set up spf you will need to add a TXT record to your dns zone but first you can generate your record here: http://www.mailradar.com/spf/

Copy the spf result, then go to ISPConfig -> dns -> zones ->click on your domain name -> click on records tab -> and click on TXT

Hostname -> example.com. (with dot at the end!)

Text -> Paste here the spf result (without ” “).

Example: v=spf1 a mx ptr ip4:11.222.333.444 -all       
…and click on Save.

Remember dns must propagate the changes.


Postfix main.cf

Let’s add/change something to /etc/postfix/main.cf

Helo restrictions:

smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname

Helo restrinctions in action:

Jan 12 01:57:08 server postfix/smtpd[4687]: NOQUEUE: reject: RCPT from unknown[]: 450 4.7.1 Client host rejected: cannot find your hostname, []; from=
<[email protected]> to=<[email protected]> proto=ESMTP helo=<[]>
Jan  8 00:32:22 server postfix/smtpd[17504]: NOQUEUE: reject: RCPT from 201-93-87-2.dial-up.telesp.net.br[]: 504 5.5.2 <lan-32204df3031>: Helo command rejected: need fully-qualified hostname; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<lan-32204df3031>

Strict rfc:

strict_rfc821_envelopes = yes

Clients restrictions:

smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_client_hostname, check_client_access mysql:/etc/postfix/mysql-virtual_client.cf

Recipient restrictions:

smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unknown_recipient_domain

Data restrictions:

smtpd_data_restrictions = reject_unauth_pipelining

Smtpd delay:

smtpd_delay_reject = yes

Don’t forget reload postfix:

/etc/init.d/postfix reload


SPF Check For Postfix (Debian And Ubuntu)

Intstall spf package:

apt-get install postfix-policyd-spf-python


apt-get install postfix-policyd-spf-perl

Add this to /etc/postfix/main.cf :

policy-spf_time_limit = 3600s

and add check_policy_service unix:private/policy-spf at the end of smtpd_recipient_restrictions:

smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination, reject_unknown_recipient_domain, check_policy_service unix:private/policy-spf

Now edit master.cf and add at the end this (for the python version):

policy-spf  unix  -       n       n       -       -       spawn
     user=nobody argv=/usr/bin/policyd-spf 

or this for the perl version:

policy-spf  unix  -       n       n       -       -       spawn
     user=nobody argv=/usr/sbin/postfix-policyd-spf-perl

…reload postfix.

/etc/init.d/postfix reload

Spf check in action:Advertisement.leader-1{text-align:center; padding-top:10px !important;padding-bottom:10px !important;padding-left:0px !important;padding-right:0px !important;width:100% !important;box-sizing:border-box !important;background-color:#eeeeee !important;border: 1px solid #dfdfdf}eval(ez_write_tag([[250,250],’howtoforge_com-leader-1′,’ezslot_0′,113,’0′,’0′]));.leader-1{text-align:center; padding-top:10px !important;padding-bottom:10px !important;padding-left:0px !important;padding-right:0px !important;width:100% !important;box-sizing:border-box !important;background-color:#eeeeee !important;border: 1px solid #dfdfdf}eval(ez_write_tag([[250,250],’howtoforge_com-leader-1′,’ezslot_1′,113,’0′,’1′])); .leader-1-multi-113{border:none !important;display:block !important;float:none;line-height:0px;margin-bottom:15px !important;margin-left:0px !important;margin-right:0px !important;margin-top:15px !important;min-height:250px;min-width:250px;text-align:center !important;}

Jan  4 15:50:11 server postfix/smtpd[19096]: NOQUEUE: reject: RCPT from g230068165.adsl.alicedsl.de[]: 550 5.7.1 <[email protected]>: Recipient address rejected: Message rejected due to: SPF fail - not authorized. Please see http://www.openspf.org/Why?s=helo;id=paxxxxxn.com;ip=;[email protected]; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=



Greylisting is a method of defending email users against spam. A mail transfer agent (MTA) using greylisting will “temporarily reject” any email from a sender it does not recognize. If the mail is legitimate the originating server will, after a delay, try again and, if sufficient time has elapsed, the email will be accepted.

Installing postgrey (Debian, Ubuntu):

apt-get install postgrey

The configuration options are in /etc/default/postgrey ( default delay is 5 min).

Edit main.cf and add check_policy_service inet: to the end of smtpd_recipient_restrictions:

smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination, reject_unknown_recipient_domain, check_policy_service unix:private/policy-spf,check_policy_service inet:

…reload postfix:

/etc/init.d/postfix reload

Greylist in action:

Jan 10 17:38:57 server postfix/smtpd[21302]: NOQUEUE: reject: RCPT from mailout-de.gmx.net[]: 451 4.7.1 <[email protected]>: Recipient address rejected: Greylisting in effect, please come back later; from=<[email protected]> to=<[email protected]> proto=SMTP helo=<mailout-de.gmx.net>


DNSBL (DNS Based Blacklist/Blocklist)

A DNSBL is a list of ip addresses published through the Internet Domain Name Service (DNS) either as a zone file that can be used by DNS server software, or as a live DNS zone that can be queried in real-time. DNSBLs are most often used to publish the addresses of computers or networks linked to spamming; most mail server software can be configured to reject or flag messages which have been sent from a site listed on one or more such lists. These may include listing the addresses of zombie computers or other machines being used to send spam, listing the addresses of ISPs who willingly host spammers, or listing addresses which have sent spam to a honeypot system.
To use dnsbl with postix we use reject_rbl_client. Just add some live dns zone for queries into the main.cf file.

In my example I will use two lists with very good reputation (added to the end of smtpd_client_restrictions):

smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_client_hostname, check_client_access mysql:/etc/postfix/mysql-virtual_client.cf,  reject_rbl_client cbl.abuseat.org,  reject_rbl_client b.barracudacentral.org

rbl in action:

Jan 12 01:52:42 server postfix/smtpd[4616]: NOQUEUE: reject: RCPT from 89.pool85-49-26.dynamic.orange.es[]: 554 5.7.1 Service unavailable; Client host [] blocked using cbl.abuseat.org; Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=; from=<[email protected]> to=<[email protected]> proto=SMTP helo=<colossus.home>
Jan 11 20:13:58 server postfix/smtpd[29591]: NOQUEUE: reject: RCPT from 93-87-122-56.dynamic.isp.telekom.rs[]: 554 5.7.1 Service unavailable; Client host [] blocked using b.barracudacentral.org; http://www.barracudanetworks.com/reputation/?pr=1&ip=; from=
<[email protected]> to=<[email protected]> proto=ESMTP helo=


Note: This feature is available in Postfix 2.8 and up

The Postfix postscreen daemon provides additional protection against mail server overload. One postscreen process handles multiple inbound SMTP connections, and decides which clients may talk to a Postfix SMTP server process. By keeping spambots away, postscreen leaves more SMTP server processes available for legitimate clients, and delays the onset of server overload conditions.

The main challenge for postscreen is to make an is-it-a-zombie decision based on a single measurement. This is necessary because many zombies try to fly under the radar and avoid spamming the same site repeatedly. Once postscreen decides that a client is not-a-zombie, it whitelists the client temporarily to avoid further delays for legitimate mail.

We will use for this tutorial the default settings with an exception. These settings are fine for the most situations

First, we add a line to main.cf with the command:

postscreen_greet_action = enforce

Second we add postscreen and some new services to master.cf Note: These settings can already exists, just uncomment. Also be sure that the line “smtp inet … smtpd”, including any parameter is commented out (if any, parameters must be moved to the new smtpd service).

# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
# Do not forget to execute "postfix reload" after editing this file.
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
#smtp      inet  n       -       -       -       -       smtpd
#          -o ...
smtpd     pass  -       -       n       -       -       smtpd
     -o ... # Parameters moved from smtp service to the new smtpd service.(if any)
smtp      inet  n       -       n       -       1       postscreen
tlsproxy  unix  -       -       n       -       0       tlsproxy
dnsblog   unix  -       -       n       -       0       dnsblog

Now, we reload postfix:

/etc/init.d/postfix reload
About the Author

Leave a Reply