How can I add stronger Postfix restrictions so that the bulk of spam is rejected at the SMTPD level before it gets processed by Amavis?

Warden 3.0 allows you to set stronger Postfix restrictions so that the bulk of spam is rejected at the SMTPD level before it gets processed by Amavis (this will help with server load).

  • To apply the recommended SMTPD restrictions go to Warden -> Settings -> Mail Server Settings and press the Default button.
  • To remove the recommended SMTPD restrictions (only if you have trouble) go to Warden -> Settings -> Mail server Settings and press the Clear button.
  • Admins can whitelist clients from these restrictions under Warden -> Settings-> Mail Server Access.
  • Many of these restrictions use DNS queries to determine if the connecting client has proper DNS records that a legitimate mail server would have in place so make sure that your DNS is functioning properly before you enable these restrictions.
  • The recommended restrictions should work for the majority of users as they are not strictest that can be applied and have been tested on large volume mail servers.
  • Detailed information about all available restrictions can be found here.
  • Detailed information about mail server access controls can be found here.

What Restrictions are Applied?

Default Restrictions (Before)

These default options are located in the postfix configuration file /etc/postfix/main.cf

smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated
smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

Stronger Restrictions (After pressing the default button)

Note: The smtpd_client_restrictions option might have reject_rbl_client entries added if you enabled DNSBLs under Tools & Settings -> Mail Server Settings -> DNS zones for DNSBL service so Warden will just add the reject_unknown_reverse_client_hostname entry after the reject_rbl_client entries.

smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_reverse_client_hostname
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_helo_hostname
smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated, reject_unknown_sender_domain
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unknown_recipient_domain
smtpd_data_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining

Note: SMTPD restrictions options are processed from left to right so ordering is important. The permit_mynetworks option is an important boundry between clients on your internal network and clients outside. Options that appear before permit_mynetworks apply to both internal and external clients while those after permit_mynetworks apply to external clients only.

Reject Log

Mail rejected by these restrictions will be listed under Warden -> Logs -> Reject log. Admins can use the message dropdown to search for specific messages.

smtpd_client_restrictions - will be logged with the message: Client host rejected
smtpd_helo_restrictions - will be logged with the message: Helo command rejected
smtpd_sender_restrictions - will be logged with the message: Sender address rejected
smtpd_recipient_restrictions - will be logged with the message: Recipient address rejected
smtpd_data_restrictions - will be logged with the message: Data command rejected

Reject Log

Restrictions Explained

smtpd_delay_reject - Wait until the RCPT TO command before evaluating restrictions. This should always be enabled because some clients mis-behave when the Postfix SMTP server rejects commands before RCPT TO. It also allows Postfix to log recipient address information when rejecting a client name/address or sender address, so that it is possible to find out whose mail is being rejected.
smtpd_helo_required - Require that a remote SMTP client introduces itself with the HELO or EHLO command before sending the MAIL command or other commands that require EHLO negotiation. This is required when using smtpd_helo_restrictions otherwise clients would be able to bypass those restrictions.  

smtpd_client_restrictions

reject_unknown_reverse_client_hostname - Reject the request when the client IP address has no address->name mapping. This is a weaker restriction than reject_unknown_client_hostname, which requires not only that the address->name and name->address mappings exist, but also that the two mappings reproduce the client IP address. The unknown_client_reject_code parameter specifies the response code for rejected requests (default: 450). The reply is always 450 in case the address->name or name->address lookup failed due to a temporary problem.

smtpd_helo_restrictions

reject_invalid_helo_hostname - Reject the request when the HELO or EHLO hostname is malformed. The invalid_hostname_reject_code parameter specifies the response code for rejected requests (default: 501). 

smtpd_sender_restrictions

reject_unknown_sender_domain - Reject the request when Postfix is not the final destination for the sender address, and the MAIL FROM domain has 1) no DNS MX and no DNS A record or 2) a malformed MX record such as a record with a zero-length MX hostname. The reply is specified with the unknown_address_reject_code parameter (default: 450), unknown_address_tempfail_action (default: defer_if_permit), or 550 (nullmx, Postfix 3.0 and later).

smtpd_recipient_restrictions

reject_unknown_recipient_domain - Reject the request when Postfix is not final destination for the recipient domain, and the RCPT TO domain has 1) no DNS MX and no DNS A record or 2) a malformed MX record such as a record with a zero-length MX hostname. The reply is specified with the unknown_address_reject_code parameter (default: 450), unknown_address_tempfail_action (default: defer_if_permit), or 550 (nullmx, Postfix 3.0 and later).

smtpd_data_restrictions

reject_unauth_pipelining - Reject the request when the client sends SMTP commands ahead of time where it is not allowed, or when the client sends SMTP commands ahead of time without knowing that Postfix actually supports ESMTP command pipelining. This stops mail from bulk mail software that improperly uses ESMTP command pipelining in order to speed up deliveries.

  • postmap, restrictions
  • 1 Users Found This Useful
Was this answer helpful?

Related Articles

How do I fix the error: Mysql Server has gone away?

When looking at the mail log of the server you see this log entry from Amavis: Aug 3 01:00:20...

What changes does Warden make to the postfix configuration files to enable Amavis?

Important Warden will configure postfix differently depending if you selected to install the...

How hard is it to uninstall if I do not require Warden Anti-spam and Virus Protection any more?

Uninstalling Warden is as easy as going to Extensions -> My Extensions -> Warden Anti-spam...

How can I fix the error: host 127.0.0.1[127.0.0.1] said: 552 5.3.4 Declared message size (1208029 B) exceeds size limit for recipient?

You can set the message size limit for Amavis under Settings -> Policy Settings -> Misc...

How do I fix the error: Unit is masked. when trying to start SpamAssassin?

You should not try to start the SpamAssassin service. Warden disables (masks) the SpamAssassin...