I used to receive around 5,000-7,000 spams daily on angsuman [at] taragana [dot] com email which is publicly available on the internet.我曾經收到約5000-7000垃圾郵件,每天就由Angsuman [在]採購Taragana [斑點]最好的電子郵件是在互聯網上公佈。 It was consuming too many productive hours daily to fight spam.這是消費太多,生產小時,每日打擊垃圾郵件。 I decided to fight back決定反擊 . To reduce the spams I first made changes to my postfix configuration with the aim to stop most spams upfront.以減少垃圾郵件首先,我做了更改我的postfix配置,目的是阻止大部分垃圾郵件的前期。 With 6 simple changes to my postfix configuration my spams dropped from 5,000 - 7,000 to a manageable 5-20 spams daily, often less.與6月進行簡單的更改我的postfix配置我的垃圾郵件下降,從5000 -7 000易於管理的5月2 0日每日垃圾郵件,往往較少。 Let’s look at these 6 simple postfix changes in details to drastically reduce your spam count too.讓我們看看在這6個簡單的postfix的變化,細節大幅度減少,您的垃圾郵件計數。 I am consistently getting over 99% spam reduction after implementing these changes.我始終得到了99 %以上的垃圾郵件減少後,實施這些變化。

The changes proved to be safe and without false positives .的變化,證明是安全和無假陽性 In several weeks of manual browsing through the log file, I couldn’t spot a single false positive (a case where legitimate mail is rejected).在幾個星期的手冊,翻閱日誌文件,我不能當場一個單一的假陽性(一的情況下,合法郵件被拒絕) 。

Note: This changes do not involve (nor do they conflict with) spamassasin or clamav, which I might add later.注意:此變化,不涉及(也沒有衝突)或spamassasin的ClamAV ,我可以補充。

smtpd_helo_required = yes smtpd_helo_required =是

The smtpd_helo_required parameter determines if clients must send a HELO (or EHLO) command at the beginning of an SMTP session.該smtpd_helo_required參數確定如果客戶必須發出一個helo (或ehlo )命令在開始一個SMTP會話。
Proper email clients use Helo to identify their server.適當的電子郵件客戶端使用helo以查明其服務器。 Most spam servers don’t use Helo to identify themselves, if they do they (mostly) falsify.大部分垃圾郵件服務器不使用helo自己的身份,如果他們這樣做,他們(大部分)假帳。

smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_invalid_hostname, check_helo_access hash:/etc/postfix/helo_access, permit smtpd_helo_restrictions = permit_sasl_authenticated , permit_mynetworks , reject_invalid_hostname , check_helo_access哈希:在/ etc / postfix / helo_access ,許可證

The smtpd_helo_restrictions parameter restricts what hostnames clients may send with the HELO (EHLO) command.該smtpd_helo_restrictions參數限制什麼主機的客戶可派與helo ( ehlo )指揮。 Many spam (UCE) software can be stopped by being strict here.許多垃圾郵件(的UCE )軟件可以阻擋不住的嚴在這裡。 The order of the restrictions is important.順序的限制,是非常重要的。

permit_sasl_authenticated first allows your email client (like Outlook, Thunderbird, Evolution etc.) which authenticates itself to send email without any further checks. permit_sasl_authenticated第一,讓您的電子郵件客戶端(如Outlook , Thunderbird ,也演變等) ,驗證自己發送電子郵件,沒有任何進一步的檢查。

permit_mynetworks allows sending unauthenticated emails too if they are from your network addresses. permit_mynetworks允許發送未經電子郵件太如果他們是從您的網絡地址。 This allows, for example, your home grown comment form / guestbook to send emails to you without further checks.這允許的話,例如,您的首頁增加了評論的形式/留言簿發送電子郵件給你,沒有進一步檢查。

reject_invalid_hostname rejects invalid hostnames like without tld suffix. reject_invalid_hostname拒絕無效的主機一樣,沒有TLD的後綴。 For example taragana is an invalid hostname, taragana.com is a valid hostname.例如採購Taragana是一個無效的主機名, taragana.com是一個有效的主機名。

Note: You can also add reject_unknown_hostname .注意:您也可以添加reject_unknown_hostname However I found that several legitimate companies like PayPal, for example, uses internal hostnames which do not resolve with external DNS servers.不過,我發現,一些合法的公司一樣,貝寶,例如,使用內部主機名,其中不解決與外部的DNS伺服器。

check_helo_access searches the named access database for the HELO hostname or parent domains and follows the rules specified there. check_helo_access搜索名為Access數據庫為helo主機或家長域和如下的規則指定。 My helo_access files includes all my domains and looks like:我helo_access檔案,包括我所有的域和看起來就像這樣:

mydomain.tld REJECT Get lost mydomain.tld拒絕迷失
mydomain2.tld REJECT Get lost mydomain2.tld拒絕迷失


These checks rejects spammers who impersonate as originating from one of my servers.這些檢查,拒絕垃圾郵件發送者誰冒充作為源自我的一個服務器上。

Note: You should compile the file with postmap like:注意:您應彙編文件與postmap ,例如:
postmap /etc/postfix/helo_access postmap的/ etc / postfix / helo_access

disable_vrfy_command = yes disable_vrfy_command =是
SMTP protocol allows of using VRFY to verify the validity of an user in the server. SMTP協議允許使用vrfy驗證一個用戶在服務器上。 Disabling VRFY takes one more facility which is abused by spammers.禁用vrfy需要更多的設施之一,這是濫用,垃圾郵件發送者。

strict_rfc821_envelopes = yes strict_rfc821_envelopes =是
The strict_rfc821_envelopes parameter controls how tolerant Postfix is with respect to addresses given in MAIL FROM or RCPT TO commands.該strict_rfc821_envelopes參數控制如何postfix是寬容與尊重的地址給在郵件或rcpt命令。 Being strict to the RFC not only stops unwanted mail, it may also blocks legitimate mail from poorly-written mail applications.正在嚴格的RFC不僅停止不想要的郵件,也可座的合法郵件從低書面郵寄申請。 However I haven’t found any false positive from this check.不過,我沒有發現任何假陽性從這個檢查。 This appears to be safe in my experience.這似乎是為了安全起見,在我的經驗。

smtpd_client_restrictions = permit_sasl_authenticated,permit_mynetworks, reject_rhsbl_client mydomain.tld, reject_rbl_client bl.spamcop.net, reject_rbl_client zen.spamhaus.org, reject_rbl_client safe.dnsbl.sorbs.net, reject_rbl_client cbl.abuseat.org, reject_rbl_client list.dsbl.org smtpd_client_restrictions = permit_sasl_authenticated , permit_mynetworks , reject_rhsbl_client mydomain.tld , reject_rbl_client bl.spamcop.net , reject_rbl_client zen.spamhaus.org , reject_rbl_client safe.dnsbl.sorbs.net , reject_rbl_client cbl.abuseat.org , reject_rbl_client list.dsbl.org

The smtpd_client_restrictions parameter restricts what clients this system accepts SMTP connections from.該smtpd_client_restrictions參數限制的客戶,這是什麼制度,接受SMTP連接。 First I allow, as before, emails from my mail clients (with permit_sasl_authenticated) and from my network (with permit_mynetworks).首先,我讓,一如以往,電子郵件從我的郵件客戶端(與permit_sasl_authenticated )和從我的網絡(與permit_mynetworks ) 。

I then reject email clients which impersonate as originating from my domains.我當時拒絕的電子郵件客戶端,其中假冒作為源自我的網域。 In other words it rejects the request when the client hostname is listed with an A record under one of my domains.在其他的話,它拒絕該請求時,客戶端主機是上市與A記錄下我的一個領域。 This check may not be very useful but I still keep it.此檢查可能不是非常有用,但我仍然繼續使用它。

Now comes the fun part.現在來的樂趣的一部分。
I use several safe RBL’s (widely regarded and allows an easy non-paid way to de-list your site if you have been mis-classified) to check the IP addresses of email clients trying to send email.我使用的幾個安全鄉的(普遍認為,讓一件容易的非付費的方式,以德名單您的網站如果您已MIS系統分類) ,檢查IP地址的電子郵件客戶端試圖發送電子郵件。 The RBL’s I use are:這個鄉的使用是:
1. 1 。 Spamcop SpamCop中
2. 2 。 Spamhaus SpamHaus說
3. 3 。 SORBS sorbs
4. 4 。 Abuseat abuseat

smtpd_sender_restrictions = reject_non_fqdn_sender, reject_unknown_sender_domain smtpd_sender_restrictions = reject_non_fqdn_sender , reject_unknown_sender_domain
The smtpd_sender_restrictions parameter restricts what sender addresses this system accepts in MAIL FROM commands.該smtpd_sender_restrictions參數限制什麼寄件人地址本系統接受在郵件從命令。

reject_non_fqdn_sender rejects the request when the address in the client MAIL FROM command is not in fully-qualified domain form. reject_non_fqdn_sender拒絕該請求時,地址在客戶端的郵件從命令是不是在完全合格的域名形式。

reject_unknown_sender_domain rejects the request when the sender mail address has no DNS A or MX record. reject_unknown_sender_domain拒絕該請求時,發件人的電子郵件地址,沒有的DNS A或MX記錄。 This check is essential to ensure that the email isn’t sent from a fictitious domain name.這項檢查是必不可少的,以確保該電子郵件是不發送從一個虛構的網域名稱。 You would be surprised at how many spammers use this lame trick.你會感到十分驚訝於有多少垃圾郵件發送者使用此跛腳的伎倆。

That concludes my 6 simple & safe (based on my tests) postfix changes to drastically reduce your spam load and relieve your postfix mail server.結束了我6簡單&安全(基於我的測試中) postfix的變化,以大幅度減少,您的垃圾郵件負載及紓緩你的postfix郵件服務器。