I used to receive around 5,000-7,000 spams daily on angsuman [at] taragana [dot] com email which is publicly available on the internet.我曾经收到约5000-7000垃圾邮件,每天就由Angsuman [在]采购Taragana [斑点]最好的电子邮件是在互联网上公布。 It was consuming too many productive hours daily to fight spam.这是消费太多,生产小时,每日打击垃圾邮件。 I decided to fight back决定反击 . To reduce the spams I first made changes to my postfix configuration with the aim to stop most spams upfront.以减少垃圾邮件首先,我做了更改我的postfix配置,目的是阻止大部分垃圾邮件的前期。 With 6 simple changes to my postfix configuration my spams dropped from 5,000 - 7,000 to a manageable 5-20 spams daily, often less.与6月进行简单的更改我的postfix配置我的垃圾邮件下降,从5000 -7 000易于管理的5月2 0日每日垃圾邮件,往往较少。 Let’s look at these 6 simple postfix changes in details to drastically reduce your spam count too.让我们看看在这6个简单的postfix的变化,细节大幅度减少,您的垃圾邮件计数。 I am consistently getting over 99% spam reduction after implementing these changes.我始终得到了99 %以上的垃圾邮件减少后,实施这些变化。

The changes proved to be safe and without false positives .的变化,证明是安全和无假阳性 In several weeks of manual browsing through the log file, I couldn’t spot a single false positive (a case where legitimate mail is rejected).在几个星期的手册,翻阅日志文件,我不能当场一个单一的假阳性(一的情况下,合法邮件被拒绝) 。

Note: This changes do not involve (nor do they conflict with) spamassasin or clamav, which I might add later.注意:此变化,不涉及(也没有冲突)或spamassasin的ClamAV ,我可以补充。

smtpd_helo_required = yes smtpd_helo_required =是

The smtpd_helo_required parameter determines if clients must send a HELO (or EHLO) command at the beginning of an SMTP session.该smtpd_helo_required参数确定如果客户必须发出一个helo (或ehlo )命令在开始一个SMTP会话。
Proper email clients use Helo to identify their server.适当的电子邮件客户端使用helo以查明其服务器。 Most spam servers don’t use Helo to identify themselves, if they do they (mostly) falsify.大部分垃圾邮件服务器不使用helo自己的身份,如果他们这样做,他们(大部分)假帐。

smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_invalid_hostname, check_helo_access hash:/etc/postfix/helo_access, permit smtpd_helo_restrictions = permit_sasl_authenticated , permit_mynetworks , reject_invalid_hostname , check_helo_access哈希:在/ etc / postfix / helo_access ,许可证

The smtpd_helo_restrictions parameter restricts what hostnames clients may send with the HELO (EHLO) command.该smtpd_helo_restrictions参数限制什么主机的客户可派与helo ( ehlo )指挥。 Many spam (UCE) software can be stopped by being strict here.许多垃圾邮件(的UCE )软件可以阻挡不住的严在这里。 The order of the restrictions is important.顺序的限制,是非常重要的。

permit_sasl_authenticated first allows your email client (like Outlook, Thunderbird, Evolution etc.) which authenticates itself to send email without any further checks. permit_sasl_authenticated第一,让您的电子邮件客户端(如Outlook , Thunderbird ,也演变等) ,验证自己发送电子邮件,没有任何进一步的检查。

permit_mynetworks allows sending unauthenticated emails too if they are from your network addresses. permit_mynetworks允许发送未经电子邮件太如果他们是从您的网络地址。 This allows, for example, your home grown comment form / guestbook to send emails to you without further checks.这允许的话,例如,您的首页增加了评论的形式/留言簿发送电子邮件给你,没有进一步检查。

reject_invalid_hostname rejects invalid hostnames like without tld suffix. reject_invalid_hostname拒绝无效的主机一样,没有TLD的后缀。 For example taragana is an invalid hostname, taragana.com is a valid hostname.例如采购Taragana是一个无效的主机名, taragana.com是一个有效的主机名。

Note: You can also add reject_unknown_hostname .注意:您也可以添加reject_unknown_hostname However I found that several legitimate companies like PayPal, for example, uses internal hostnames which do not resolve with external DNS servers.不过,我发现,一些合法的公司一样,贝宝,例如,使用内部主机名,其中不解决与外部的DNS伺服器。

check_helo_access searches the named access database for the HELO hostname or parent domains and follows the rules specified there. check_helo_access搜索名为Access数据库为helo主机或家长域和如下的规则指定。 My helo_access files includes all my domains and looks like:我helo_access档案,包括我所有的域和看起来就像这样:

mydomain.tld REJECT Get lost mydomain.tld拒绝迷失
mydomain2.tld REJECT Get lost mydomain2.tld拒绝迷失


These checks rejects spammers who impersonate as originating from one of my servers.这些检查,拒绝垃圾邮件发送者谁冒充作为源自我的一个服务器上。

Note: You should compile the file with postmap like:注意:您应汇编文件与postmap ,例如:
postmap /etc/postfix/helo_access postmap的/ etc / postfix / helo_access

disable_vrfy_command = yes disable_vrfy_command =是
SMTP protocol allows of using VRFY to verify the validity of an user in the server. SMTP协议允许使用vrfy验证一个用户在服务器上。 Disabling VRFY takes one more facility which is abused by spammers.禁用vrfy需要更多的设施之一,这是滥用,垃圾邮件发送者。

strict_rfc821_envelopes = yes strict_rfc821_envelopes =是
The strict_rfc821_envelopes parameter controls how tolerant Postfix is with respect to addresses given in MAIL FROM or RCPT TO commands.该strict_rfc821_envelopes参数控制如何postfix是宽容与尊重的地址给在邮件或rcpt命令。 Being strict to the RFC not only stops unwanted mail, it may also blocks legitimate mail from poorly-written mail applications.正在严格的RFC不仅停止不想要的邮件,也可座的合法邮件从低书面邮寄申请。 However I haven’t found any false positive from this check.不过,我没有发现任何假阳性从这个检查。 This appears to be safe in my experience.这似乎是为了安全起见,在我的经验。

smtpd_client_restrictions = permit_sasl_authenticated,permit_mynetworks, reject_rhsbl_client mydomain.tld, reject_rbl_client bl.spamcop.net, reject_rbl_client zen.spamhaus.org, reject_rbl_client safe.dnsbl.sorbs.net, reject_rbl_client cbl.abuseat.org, reject_rbl_client list.dsbl.org smtpd_client_restrictions = permit_sasl_authenticated , permit_mynetworks , reject_rhsbl_client mydomain.tld , reject_rbl_client bl.spamcop.net , reject_rbl_client zen.spamhaus.org , reject_rbl_client safe.dnsbl.sorbs.net , reject_rbl_client cbl.abuseat.org , reject_rbl_client list.dsbl.org

The smtpd_client_restrictions parameter restricts what clients this system accepts SMTP connections from.该smtpd_client_restrictions参数限制的客户,这是什么制度,接受SMTP连接。 First I allow, as before, emails from my mail clients (with permit_sasl_authenticated) and from my network (with permit_mynetworks).首先,我让,一如以往,电子邮件从我的邮件客户端(与permit_sasl_authenticated )和从我的网络(与permit_mynetworks ) 。

I then reject email clients which impersonate as originating from my domains.我当时拒绝的电子邮件客户端,其中假冒作为源自我的网域。 In other words it rejects the request when the client hostname is listed with an A record under one of my domains.在其他的话,它拒绝该请求时,客户端主机是上市与A记录下我的一个领域。 This check may not be very useful but I still keep it.此检查可能不是非常有用,但我仍然继续使用它。

Now comes the fun part.现在来的乐趣的一部分。
I use several safe RBL’s (widely regarded and allows an easy non-paid way to de-list your site if you have been mis-classified) to check the IP addresses of email clients trying to send email.我使用的几个安全乡的(普遍认为,让一件容易的非付费的方式,以德名单您的网站如果您已MIS系统分类) ,检查IP地址的电子邮件客户端试图发送电子邮件。 The RBL’s I use are:这个乡的使用是:
1. 1 。 Spamcop SpamCop中
2. 2 。 Spamhaus SpamHaus说
3. 3 。 SORBS sorbs
4. 4 。 Abuseat abuseat

smtpd_sender_restrictions = reject_non_fqdn_sender, reject_unknown_sender_domain smtpd_sender_restrictions = reject_non_fqdn_sender , reject_unknown_sender_domain
The smtpd_sender_restrictions parameter restricts what sender addresses this system accepts in MAIL FROM commands.该smtpd_sender_restrictions参数限制什么寄件人地址本系统接受在邮件从命令。

reject_non_fqdn_sender rejects the request when the address in the client MAIL FROM command is not in fully-qualified domain form. reject_non_fqdn_sender拒绝该请求时,地址在客户端的邮件从命令是不是在完全合格的域名形式。

reject_unknown_sender_domain rejects the request when the sender mail address has no DNS A or MX record. reject_unknown_sender_domain拒绝该请求时,发件人的电子邮件地址,没有的DNS A或MX记录。 This check is essential to ensure that the email isn’t sent from a fictitious domain name.这项检查是必不可少的,以确保该电子邮件是不发送从一个虚构的网域名称。 You would be surprised at how many spammers use this lame trick.你会感到十分惊讶于有多少垃圾邮件发送者使用此跛脚的伎俩。

That concludes my 6 simple & safe (based on my tests) postfix changes to drastically reduce your spam load and relieve your postfix mail server.结束了我6简单&安全(基于我的测试中) postfix的变化,以大幅度减少,您的垃圾邮件负载及纾缓你的postfix邮件服务器。