OK BizSetup Email Server From Scratch On FreeBSD #2 - 10 Blocking Spam
We believe in data independence, and support others who want data independence.
Debian Email From Scratch version 2 finished 2025-07-30.
We are still adding to it but it all works!
################# # Blocking Spam # #################
Change your smtpd banner to provide less information about your mail service
nano /etc/postfix/main.cf
--- change this ---
smtpd_banner = $myhostname ESMTP
Reject email from hosts with invalid A Record or no PTR Record
reject_unknown_sender_domain : no MX or A Record
reject_unknown_client_hostname : no client A Record
reject_unknown_reverse_client_hostname : NO PTR IPADDRESS -> NAME
nano /etc/postfix/main.cf
--- edit at bottom of file ---
policyd-spf_time_limit = 3600
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
check_policy_service unix:private/policyd-spf
smtpd_sender_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unknown_sender_domain
reject_unknown_reverse_client_hostname
reject_unknown_client_hostname
# Reject invalid HELO/EHLO
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks
permit_sasl_authenticated
check_helo_access hash:/etc/postfix/helo_access
reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname
reject_unknown_helo_hostname
# Milter configuration
milter_default_action = accept
milter_protocol = 6
smtpd_milters = unix:opendkim/opendkim.sock,unix:opendmarc/opendmarc.sock
non_smtpd_milters = $smtpd_milters
smtp_header_checks = regexp:/etc/postfix/smtp_header_checks
# Pass bounces to milters so bounce messages also get DKIM signed are are not rejected
internal_mail_filter_classes = bounce
nano /etc/postfix/helo_access
# whitelist legitimate servers that don't conform to helo
optimus-webapi-prod-2.localdomain OK
va-massmail-02.rakutenmarketing.com OK
goodhost1.domain1.com OK
goodhost1.domain2.com OK
postmap /etc/postfix/helo_access
systemctl restart postfix
Enable Greylisting in Postfix
Quote from linuxbabe "As required by the SMTP protocol, any legitimate SMTP
client must be able to re-send email if delivery fails. (By default, Postfix
is configured to resend failed emails many times before it informs the sender
that the message could not be delivered.) Many spammers usually just send once
and would not retry."
apt install postgrey
systemctl enable postgrey
systemctl start postgrey
systemctl status postgrey
netstat -lnpt | grep postgrey
tcp 0 0 127.0.0.1:10023 0.0.0.0:* LISTEN 3861/postgrey --ine
tcp6 0 0 ::1:10023 :::* LISTEN 3861/postgrey --ine
Add check_policy_service inet:127.0.0.1:10023 to smtpd_recipient_restrictions
nano /etc/postfix/main.cf
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
check_policy_service unix:private/policyd-spf,
check_policy_service inet:127.0.0.1:10023
nano /etc/defaults/postgrey
POSTGREY_OPTS="--inet=127.0.0.1:10023 --delay=1"
POSTGREY_TEXT="4.7.1 Greylisted"
To prevent postgrey from slowing down legitimate mails, use to 2 DNS entries so the
mail server will first try the entry with priority 0 then after 1 second try the
entry with priority 10, eg a resend and less likely to be spam.
To prevent greylisting delay add 2 mx records to your DNS, like this.
MX mx.okdeb.com 0
MX mail.okdeb.com 10
systemctl restart postfix
View postgrey logs, see what is being blocked, to see if new entries need to
be added to whitelist.
journalctl -u postgrey.
Postgrey default whitelist files are located in
/etc/postgrey/whitelist_clients
/etc/postgrey/whitelist_recipients
Restart postgrey chaning postgrey whitelists
systemctl restart postgrey
Real Time Blacklists - add the after check_policy_service inet:127.0.0.1:10023
nano /usr/local/etc/postfix/main.cf
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
check_policy_service unix:private/policyd-spf,
check_policy_service inet:127.0.0.1:10023,
check_client_access hash:/etc/postfix/rbl_override,
reject_rhsbl_helo dbl.spamhaus.org,
reject_rhsbl_reverse_client dbl.spamhaus.org,
reject_rhsbl_sender dbl.spamhaus.org,
reject_rbl_client zen.spamhaus.org
You can override the blacklists by adding domains to the rbl_override file.
nano /etc/postfix/rbl_override
domain1.com OK // ignore rbl for domain1.com
domain2.com OK // ignore rbl for domain2.com
postmap /etc/postfix/rbl_override
Use a Public Whitelist
nano /usr/local/etc/postfix/main.cf
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
check_policy_service unix:private/policyd-spf,
check_policy_service inet:127.0.0.1:10023,
check_client_access hash:/etc/postfix/rbl_override,
reject_rhsbl_helo dbl.spamhaus.org,
reject_rhsbl_reverse_client dbl.spamhaus.org,
reject_rhsbl_sender dbl.spamhaus.org,
permit_dnswl_client list.dnswl.org=127.0.[0..255].[1..3],
permit_dnswl_client swl.spamhaus.org,
reject_rbl_client zen.spamhaus.org
Get Postfix Log Reports
apt install pflogsumm mutt
test it
/usr/bin/journalctl --no-pager --since=yesterday -u postfix@-.service | /usr/sbin/pflogsumm -d yesterday
Setup a crontab to send a report at 12:00am.
export EDITOR /usr/bin/nano
crontab -e
5 0 * * * /usr/bin/journalctl --no-pager --since=yesterday -u postfix@-.service | /usr/sbin/pflogsumm -d yesterday | mutt -s "Postfix log summary" -- postmaster@okdeb.com
Make sure you are not an open relay
nano /usr/local/etc/postfix/main.cf
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
We setup DMARC in a prevous page, make sure your 'myhostname' from postfix/main.cf
is included in /etc/opendmarc.conf as TrustedAuthservIDs, mine is mx.okdeb.com.
grep myhostname /etc/postfix/main.cf
myhostname = mx.okdeb.com
nano /etc/opendmarc.conf
TrustedAuthservIDs mx.okdeb.com
nano /etc/opendmarc/ignore.hosts
127.0.0.1
147.135.65.9
2604:2dc0:202:300::3645
::1
localhost
Dont DKIM check your own hosts
nano /etc/opendkim/trustedhosts
127.0.0.1
::1
localhost
15.204.113.148
2604:2dc0:202:300::3645
mx.okdeb.com
mx.coragarden.com
mail.okdeb.com
mail.coragarden.com
okdeb.com
coragarden.com
systemctl restart opendkim opendmarc postfix dovecot
Check everything works
If everything works, back it up.