Recently one of my clients shifted from Plesk to ISPConfig, and I was asked to setup ISPConfig control panel on it. We followed an ISPConfig How-to from howtoforge.com . The installation was (almost) a breeze. Migration from plesk to ISPConfig was quite painful. But anyway, we did it.
Later when the system went live and remained in production for more than a week, we noticed that there is a lot of spam coming in. The postfix mail server needed some additional armor. I wanted some important checks, such as helo, RBL and SPF. Below is how I added that extra level of protection.
First, I want to thank and acknowledge the authors of following web pages, which helped me in achieving this:
For SPF, I downloaded the postfix-SPF (module/plugin) from http://www.openspf.org/blobs/postfix-policyd-spf-perl-2.007.tar.gz , and installed it as following:
tar xzf postfix-policyd-spf-perl-2.007.tar.gz
cp postfix-policyd-spf-perl-2.007/postfix-policyd-spf-perl /usr/libexec/postfix/
chmod +x /usr/libexec/postfix/postfix-policyd-spf-perl
Then I had to add the following text (it is one /single long line) to bottom of /etc/postfix/master.cf :-
spfpolicy unix – n n – 0 spawn user=nobody argv=/usr/libexec/postfix/postfix-policyd-spf-perl
- You can use Tabs instead of spaces in the line above. Refer to INSTALL file which comes with the tarball.
- The INSTALL file uses the word policy, instead of spfpolicy, as shown here. It does not matter. Whatever you choose to use, make sure that you use the same in master.cf and main.cf files.
I then edited my /etc/postfix/main.cf file and added the following text. The text below contains SPF checks, RBL checks, invalid helo checks, invalid host-name checks, etc.
. . .
(Change the following line:)
smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf
smtpd_sender_restrictions = reject_non_fqdn_sender, reject_unknown_sender_domain, check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf, permit
Note: The line above is single line.
(Then add the following text:)
policy_time_limit = 3600smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_hostname, reject_invalid_hostname, permit
smtpd_recipient_restrictions = reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, check_policy_service unix:private/spfpolicy, permit
Note: smtpd_* lines shown above are individual long single lines. (Tip: smtpd_* till permit is one line.)
After you save this file, restart postfix service :
service postfix restart