If you are looking for a good spam-filtering mailer daemon have a look at postfix. It allows you to easily test against many more things than sendmail, and doesn't make you jump though hoops to do it. Equally important is that postfix allows one to easily whitelist users, whole machines or domains for all the anti-spam tests.
Postfix is able to do an SMTP firewall with:
Like sendmail, postfix can:
I guarentee you that if you turn on all the postfix tests (even without using any blacklists) you'll only see a small fraction of your current levels. If you test against even just one blacklist, such as Spamcop, you'll see only a few pieces of spam squeak by per day.
The relevant bits from our /etc/postfix/ config files are here:
# this file assumes postfix 2.x alias_database = hash:/etc/postfix/aliases alias_maps = hash:/etc/postfix/aliases allow_percent_hack = no body_checks = regexp:/etc/postfix/body_checks config_directory = /etc/postfix disable_vrfy_command = yes header_checks = regexp:/etc/postfix/header_checks local_recipient_maps = $alias_maps hash:/etc/postfix/user_access manpage_directory = /usr/share/man masquerade_classes = envelope_sender, header_sender masquerade_domains = example.com masquerade_exceptions = root mydestination = /etc/postfix/local-host-names mynetworks = 127.0.0.1/32 myorigin = $mydomain readme_directory = /usr/share/examples/postfix recipient_delimiter = + sample_directory = /usr/share/examples/postfix smtpd_helo_required = yes # The order of these tests is very important. Don't muck with them # until you fully understand the implications. smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, check_sender_access hash:/etc/postfix/sender_access, check_recipient_access regexp:/etc/postfix/recipient_access, check_helo_access hash:/etc/postfix/helo_access, reject_rbl_client bl.spamcop.net, reject_rbl_client sbl.spamhaus.org, reject_rbl_client list.dsbl.org, reject_rbl_client dnsbl.njabl.org, reject_rbl_client relays.ordb.org, reject_rbl_client proxies.relays.monkeys.com, reject_rbl_client opm.blitzed.org, reject_invalid_hostname, reject_non_fqdn_hostname, reject_unknown_hostname, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_pipelining, check_client_access hash:/etc/postfix/client_access, reject_unknown_client strict_rfc821_envelopes = yes swap_bangpath = no unknown_address_reject_code = 554 unknown_client_reject_code = 554 unknown_hostname_reject_code = 554
/^Below is the result of your feedback form\. It was submitted by/ REJECT This looks like someone abused a mis-configured formmail.pl cgi script. # Older versions of postfix needed to have the MIME headers duplicated # here from header_checks. That isn't needed in 2.x.
/^To: friend@public\.com/ REJECT Spamware mailer detected. # All sorts of microsoft-induced brain damage. Tell sender to cut it out. /^Content-Disposition: attachment; *filename=.*\.(scr|pif|exe|com|bat|shs|shb|vxd|rm|chm|vbs|ini|cmd|do|hta|xl|reg|lnk|js|jse)$/ REJECT Microsoft attachments not accepted here. Please remove them and resend. /^Content-Type: multipart\/alternative/ REJECT HTML not allowed. Microsoft Outlook users: to turn off HTML mail choose Tools -> Options -> Mail Format -> Message Format -> Plain text. /^Content-Type: text\/html/ REJECT HTML not allowed. Microsoft Outlook users: to turn off HTML mail choose Tools -> Options -> Mail Format -> Message Format -> Plain text. /^Content-Type: multipart\/related/ REJECT HTML not allowed. Microsoft Outlook users: to turn off HTML mail choose Tools -> Options -> Mail Format -> Message Format -> Plain text. /^Content-Disposition: Multipart message/ REJECT HTML not allowed. Microsoft Outlook users: to turn off HTML mail choose Tools -> Options -> Mail Format -> Message Format -> Plain text. /^Subject: =?big5?/ REJECT Chinese encoding not allowed. /^Subject: =?EUC-KR?/ REJECT Korean encoding not allowed. /^Subject: ADV:/ REJECT Advertisements not accepted here. /^X-Mailer: ravmd\// REJECT Antivirus software generated messages are not welcome here. Our machines all run NetBSD and do not send viruses. Your software must be misconfigured.
# client hostnames or IP addresses go in this file # some spammers will setup the rDNS to claim an in-addr.arpa name. # Some resolvers fall for this trick. Nail 'em here. in-addr.arpa 554 Spamware detected t3direct.com.au 554 Lawsuit against Joey McNicol # add other rejected users or domains here.
# sender email addresses go in this file. # this is a very important anti-spoofing rule. You need to add your # domain name here. OURDOMAIN.com 550 Mail claims to be from OURDOMAIN.com yet isn't. # lots of spam used to claim to be from public.com. The rest are just # in case. public.com 554 Mail from example domains not accepted. in-addr.arpa 554 Mail from example domains not accepted. example.com 554 Mail from example domains not accepted. nobody@ 554 Mail from nobody is always spam. anonymous@ 554 Mail from anonymous is always spam. # you may also whitelist the non-spammish users that come from # spammish domains here. email@example.com OK firstname.lastname@example.org 554 Too much spam from this user.
# add all users that should receive external mail here. user1 OK user2 OK user3 OK
# this is a very important anti-spoofing rule. You need to add your # domain name here. OURDOMAIN.com 550 Sending host claims to be OURDOMAIN.com but clearly it isn't. .OURDOMAIN.com 550 Sending host claims to be OURDOMAIN.com but clearly it isn't.
Ralf Hildebrandt postfix site contains some very useful hits for setting it up. His setup is essentially the same as ours so we won't bother to duplicate the rest of the configuration files here.
(Wolfgang S. Rupprecht)