A couple of weeks ago I decided to move roedie.nl over to our company webserver. Right after that I transfered the MX records for roedie.nl to the same server. The server wasn’t, or actualy isn’t running any anti spam software like amavis or spammassassin. I knew I was asking for lots of spam this way, but I was also curious how much spam I would get without filtering.
So, 24 hours after update my MX records it was hell in my mailbox. I received tons of spam. It was getting hard to find real mail in my mailbox. I trained thunderbird for a couple of days and then all junk was gone. But I didn’t like the solution. By receiving it in your mail client you still generate traffic on the internet and I don’t want that.
Pissed off I wanted to install amavisd-new, spamassassin, clamav and the whole lot. But that also didn’t seem right. You create much load on the server just to scan the e-mail for spam. Greylisting doesn’t feel very good either. It’s a great way to get rid of spam. It works… I’ve been using it on some servers for our customers. But the problem with greylisting is you also create more load on the mailservers that do try to send you your non-spam and some servers are very… very… very slow on retrying.
Then I started to look into my postfix configuration. What could I do to prevent spam before it sends data. I knew there is stuf like sorbs. But I stopped using it because a couple of years ago it gave me problems with false listings. While reading lots of documentation I hit the following:
main.cf:
smtpd_helo_required = yes
This makes (as you could probably guess) sure that everybody uses helo/ehlo to identify themselves at the smtp server. This alone doesn’t realy help ofcourse. But when also using:
main.cf:
smtpd_recipient_restrictions =
permit_mynetworks,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_invalid_hostname,
reject_unauth_destination,
permit
Suddenly halve of my spam got bounced simply because they did not specify a fully qualified domain name at the helo. I’ve tested it for some days but still enough spam was getting through.
Then I looked up some RBL’s. So I changed my main.cf to:
smtpd_helo_required = yes
disable_vrfy_command = yes
smtpd_recipient_restrictions =
permit_mynetworks,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_invalid_hostname,
reject_unauth_destination,
reject_rbl_client dnsbl.sorbs.net,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client list.dsbl.org,
reject_rbl_client relays.ordb.org,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client xbl.spamhaus.org,
permit
This blocks away *almost* all my spam. Not all…. Some investigation learned that the spam I am receiving is dropped on my backup-mx. Damn… smart bastards those spammers 
. This was simply resolved by using another backup-mx which is under my control, as opposed to the previous one.
I will test the above config to see if there are any disadvantages with using this. I already discovered that there are IP blocks in sorbs because the are dynamic blocks. Which is not true. Also, there’s no virus scanning.
I’m not sure if I will have lot of problems with this but we’ll see.
