Mirroring http://www.wsrcc.com/spam/

Welcome to the WSRCC Spam Fighting Page

[Material snipped.]

Comparison of postfix to sendmail

If you are looking for a good spam-filtering mailer daemon have a look at postfix. It allows you to easily test against many more things than sendmail, and doesn't make you jump though hoops to do it. Equally important is that postfix allows one to easily whitelist users, whole machines or domains for all the anti-spam tests.

Postfix is able to do an SMTP firewall with:

• anti-spoofing. Do not accept mail from "outside" that claims to be from "inside."
• blacklist certain accounts (root, operator, bin, ntpd, etc.) from external mail while allowing mail from internal sources.
• whitelist all spam filtering based on sender-name, destination-name, sending-host etc. This whitelist extends to all blacklist tests. (In sendmail one needs to test against the whitelist in each filtering section separately. It is often difficult to test against the whitelist from inside the various blacklist tests. In postfix a single test against the whitelist is done near the top of the filter rules which will cause the blacklist tests to be bypassed entirely. The whole thing is much more firewall-like. )
• Postfix can test against and refuse mail based on junk in the HELO.
• Postfix can easily test the quantities against regexp's lists or hash/dbm tables. (Unlike sendmail where testing against regexp's requires a table per regexp tested.)
• Postfix can reject "user unkown" messages at the SMTP level or bounce.
• Postfix can print out the DNS-blacklist TXT record, giving a very nice detailed explanation for why something was filtered.
• Postfix can test against any header, body, envelope, helo quantity with regexp's or hash tables.

Like sendmail, postfix can:

• reject spam at the SMTP level
• test against any number of DNS blacklists,
• use local hash/dbm table
• can ignore "line-noise" routing symbols (!%@@:)

I guarentee you that if you turn on all the postfix tests (even without using any blacklists) you'll only see a small fraction of your current levels. If you test against even just one blacklist, such as Spamcop, you'll see only a few pieces of spam squeak by per day.

The relevant bits from our /etc/postfix/ config files are here:

main.cf:

# this file assumes postfix 2.x
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
allow_percent_hack = no
body_checks = regexp:/etc/postfix/body_checks
config_directory = /etc/postfix
disable_vrfy_command = yes
header_checks = regexp:/etc/postfix/header_checks
local_recipient_maps = $alias_maps hash:/etc/postfix/user_access
manpage_directory = /usr/share/man
masquerade_classes = envelope_sender, header_sender
masquerade_domains = example.com
masquerade_exceptions = root
mydestination = /etc/postfix/local-host-names
mynetworks = 127.0.0.1/32
myorigin = $mydomain
readme_directory = /usr/share/examples/postfix
recipient_delimiter = +
sample_directory = /usr/share/examples/postfix
smtpd_helo_required = yes
# The order of these tests is very important.  Don't muck with them 
# until you fully understand the implications.
smtpd_recipient_restrictions = permit_mynetworks,   
    reject_unauth_destination,  
    check_sender_access hash:/etc/postfix/sender_access,    
    check_recipient_access regexp:/etc/postfix/recipient_access,    
    check_helo_access hash:/etc/postfix/helo_access,    
    reject_rbl_client bl.spamcop.net,
    reject_rbl_client sbl.spamhaus.org,
    reject_rbl_client list.dsbl.org,
    reject_rbl_client dnsbl.njabl.org,
    reject_rbl_client relays.ordb.org,
    reject_rbl_client proxies.relays.monkeys.com,
    reject_rbl_client opm.blitzed.org,
    reject_invalid_hostname,    
    reject_non_fqdn_hostname,   
    reject_unknown_hostname,    
    reject_non_fqdn_sender, 
    reject_unknown_sender_domain,   
    reject_non_fqdn_recipient,  
    reject_unknown_recipient_domain,    
    reject_unauth_pipelining,   
    check_client_access hash:/etc/postfix/client_access,    
    reject_unknown_client
strict_rfc821_envelopes = yes
swap_bangpath = no
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554

body_checks:

/^Below is the result of your feedback form\.  It was submitted by/
    REJECT This looks like someone abused a mis-configured formmail.pl cgi script.
# Older versions of postfix needed to have the MIME headers duplicated
# here from header_checks.  That isn't needed in 2.x.

header_checks:

/^To: friend@public\.com/
     REJECT Spamware mailer detected.
# All sorts of microsoft-induced brain damage.  Tell sender to cut it out.
/^Content-Disposition: attachment; *filename=.*\.(scr|pif|exe|com|bat|shs|shb|vxd|rm|chm|vbs|ini|cmd|do|hta|xl|reg|lnk|js|jse)$/
    REJECT Microsoft attachments not accepted here.  Please remove them and resend.

/^Content-Type: multipart\/alternative/
    REJECT HTML not allowed.  Microsoft Outlook users: to turn off HTML mail choose Tools -> Options -> Mail Format -> Message Format -> Plain text.
/^Content-Type: text\/html/
    REJECT HTML not allowed.  Microsoft Outlook users: to turn off HTML mail choose Tools -> Options -> Mail Format -> Message Format -> Plain text.
/^Content-Type: multipart\/related/
     REJECT HTML not allowed.  Microsoft Outlook users: to turn off HTML mail choose Tools -> Options -> Mail Format -> Message Format -> Plain text.
/^Content-Disposition: Multipart message/
     REJECT HTML not allowed.  Microsoft Outlook users: to turn off HTML mail choose Tools -> Options -> Mail Format -> Message Format -> Plain text.
/^Subject: =?big5?/             
    REJECT Chinese encoding not allowed.
/^Subject: =?EUC-KR?/               
    REJECT Korean encoding not allowed.
/^Subject: ADV:/
     REJECT Advertisements not accepted here.
/^X-Mailer: ravmd\//
     REJECT Antivirus software generated messages are not welcome here.  Our machines all run NetBSD and do not send viruses.  Your software must be misconfigured.

client_access:

# client hostnames or IP addresses go in this file
# some spammers will setup the rDNS to claim an in-addr.arpa name.
# Some resolvers fall for this trick.  Nail 'em here.
in-addr.arpa        554 Spamware detected
t3direct.com.au     554 Lawsuit against Joey McNicol
# add other rejected users or domains here.

sender_access:

# sender email addresses go in this file.
# this is a very important anti-spoofing rule.  You need to add your
# domain name here.
OURDOMAIN.com           550 Mail claims to be from OURDOMAIN.com yet isn't.
# lots of spam used to claim to be from public.com.  The rest are just
# in case.
public.com      554 Mail from example domains not accepted.
in-addr.arpa        554 Mail from example domains not accepted.
example.com     554 Mail from example domains not accepted.
nobody@             554 Mail from nobody is always spam.
anonymous@      554 Mail from anonymous is always spam.
# you may also whitelist the non-spammish users that come from
# spammish domains here.
goodguy@baddomain.com   OK
badguy@goodomain.com    554 Too much spam from this user.

user_access:

# add all users that should receive external mail here.
user1     OK
user2     OK
user3     OK

helo_access:

# this is a very important anti-spoofing rule.  You need to add your
# domain name here.
OURDOMAIN.com   550 Sending host claims to be OURDOMAIN.com but clearly it isn't.
.OURDOMAIN.com  550 Sending host claims to be OURDOMAIN.com but clearly it isn't.

Ralf Hildebrandt postfix site contains some very useful hits for setting it up. His setup is essentially the same as ours so we won't bother to duplicate the rest of the configuration files here.

wolfgang@charlotte.dontspam.wsrcc.com (Wolfgang S. Rupprecht)
last updated $Date: 2003/10/29 08:07:02 $