configuring an email server is no magic
i don’t use any spam blocking software… and got about 8 catchall adresses… and there are only about 10 spam mails a month, that are able to walk through my wall of fail2ban + greylisting + some other options in postfix…
for example:
smtpd_helo_required = yes
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated,
check_client_access hash:/etc/postfix/rbl_whitelist,
check_recipient_access hash:/etc/postfix/rec-blacklist,
check_sender_access hash:/etc/postfix/sender_access,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client ix.dnsbl.manitu.net,
reject_rbl_client combined.njabl.org,
reject_unauth_destination,
reject_unauth_pipelining,
reject_non_fqdn_recipient,
check_policy_service inet:127.0.0.1:10023
smtpd_sender_restrictions = permit_mynetworks,
reject_sender_login_mismatch,
permit_sasl_authenticated,
reject_unknown_helo_hostname,
reject_unknown_recipient_domain,
reject_unknown_sender_domain
smtpd_client_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject_unknown_client_hostname
those three lines refer to local stored black and white lists (files need to converted with postmap
command):
check_client_access hash:/etc/postfix/rbl_whitelist,
check_recipient_access hash:/etc/postfix/rec-blacklist,
check_sender_access hash:/etc/postfix/sender_access,
this refers to postgrey as my greylisting solution: check_policy_service inet:127.0.0.1:10023
i know, this is a very restrictive mailserver solution… but well… i don’t need any other anti-spam solution…
in fail2ban jail.local i use those settings (besides other standard-settings):
bantime = 432000
maxretry = 3
my used jails are: ssh, postfix, couriersmtp, courierauth and sasl
in my fail2ban/filter.d/postfix.conf i added and changes this regex lines to match my logfiles:
^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+[<HOST>]: 450 4\.7\.1 Client host rejected: cannot find your hostname, ([\S*]); from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$
^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+[<HOST>]: 450 4\.7\.1 <\S+>: Helo command rejected: Host not found; from=<\S*> to=<\S+> proto=ESMTP helo=<\S+>$
^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+[<HOST>]: 554 5\.7\.1 <\S+>: Recipient address rejected: BiteMe; from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$
so… now there is no need for mandrillapp to prevent spam
just give it a try!