Lets face it spam is about the biggest evil we all face. We are using our ISPConfig3 implementation to handle around 2000 email accounts. We did host at fusemail.com and they obviously knew how to handle spam. Now that we have taken over our own email we gets complaints constantly from clients about spam. Does anyone have a hardened true way to handle spam? I am happy to share my configuration but we still have massive amounts of spam that gets through. Here is the big one. main.cf if you would like to see any others let me know. We would even be happy to use a spam service if it is reasonable. But I have to think we can tackle this on our own if we had some help. This is just a hodgepodge of stuff I have collected using google. main.cf Code: # See /usr/share/postfix/main.cf.dist for a commented, more complete version # Debian specific: Specifying a file name will cause the first # line of that file to be used as the name. The Debian default # is /etc/mailname. #myorigin = /etc/mailname smtpd_banner = $myhostname ESMTP $mail_name biff = no # appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h readme_directory = /usr/share/doc/postfix # TLS parameters smtpd_tls_cert_file = /etc/apache2/certs/SECURE.com.crt smtpd_tls_key_file = /etc/apache2/certs/SECURE.com.key smtpd_use_tls = yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # information on enabling SSL in the smtp client. smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination myhostname = smtp.SECURE.com alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases myorigin = /etc/mailname mydestination = smtp.SECURE.com, mail.SECURE.com, localhost, localhost.localdomain relayhost = mynetworks = 127.0.0.0/8 OURSUBNETS mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all inet_protocols = all html_directory = /usr/share/doc/postfix/html virtual_alias_domains = virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf virtual_mailbox_base = /var/vmail virtual_uid_maps = mysql:/etc/postfix/mysql-virtual_uids.cf virtual_gid_maps = mysql:/etc/postfix/mysql-virtual_gids.cf unknown_local_recipient_reject_code = 550 sender_bcc_maps = proxy:mysql:/etc/postfix/mysql-virtual_outgoing_bcc.cf smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = yes smtpd_sasl_authenticated_header = yes smtpd_restriction_classes = greylisting greylisting = check_policy_service inet:127.0.0.1:10023 smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf, check_policy_service unix:private/policy-spf smtpd_tls_security_level = may transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender_login_maps.cf proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps smtpd_helo_required = yes smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_non_fqdn_hostname, reject_invalid_helo_hostname, check_helo_access regexp:/etc/postfix/blacklist_helo smtpd_sender_restrictions = check_sender_access regexp:/etc/postfix/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf, check_sender_access regexp:/etc/postfix/tag_as_foreign.re smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, check_client_access mysql:/etc/postfix/mysql-virtual_client.cf reject_unauth_destination, reject_invalid_hostname, reject_unauth_pipelining, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unknown_client_hostname, reject_rhsbl_client blackhole.securitysage.com, reject_rhsbl_sender blackhole.securitysage.com, reject_rbl_client sbl.spamhaus.org, reject_rbl_client dnsbl.sorbs.net, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client cbl.abuseat.org, reject_rbl_client b.barracudacentral.org, reject_rbl_client blackholes.easynet.nl, reject_rbl_client proxies.blackholes.wirehub.net, reject_rbl_client ubl.unsubscore.com, smtpd_client_message_rate_limit = 100 strict_rfc821_envelopes = yes smtpd_data_restrictions = reject_unauth_pipelining smtpd_delay_reject = yes maildrop_destination_concurrency_limit = 1 maildrop_destination_recipient_limit = 1 virtual_transport = dovecot header_checks = regexp:/etc/postfix/header_checks mime_header_checks = regexp:/etc/postfix/mime_header_checks nested_header_checks = regexp:/etc/postfix/nested_header_checks body_checks = regexp:/etc/postfix/body_checks owner_request_special = no smtp_tls_security_level = may smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_protocols = !SSLv2,!SSLv3 smtp_tls_protocols = !SSLv2,!SSLv3 smtpd_tls_exclude_ciphers = RC4, aNULL smtp_tls_exclude_ciphers = RC4, aNULL dovecot_destination_recipient_limit = 1 smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth content_filter = amavis:[127.0.0.1]:10024 receive_override_options = no_address_mappings message_size_limit = 0 mydomain = SECURE.com compatibility_level = 2 postscreen_greet_action = enforce policy-spf_time_limit = 3600s
We tried Pyzor on our CRM servern and it made a radical difference to only using spam-assassin. http://www.pyzor.org/en/release-1-0-0/ Should be installed by standard to ISPConfig, in my opinion.
Have a look at spamexperts. http://www.spamexperts.com Its a service that you point your MX records to and then they send email to your server. Lots of configurable options.
postscreen can cut out a lot of junk, assuming you can live with your users sending mail on port 587 (not 25).
@Tekati To chime-in, we're having a related discussion at https://www.howtoforge.com/community/threads/spam-filtering-is-not-working.74549/#post-350907 , which might interest you. I've been in the spam-fighting business for over 6 years now on my ISPConfig systems, and here's what has been most effective for me: - postscreen - postgrey - pyzor - razor2 - RBLs - spf/dkim analysis - Bayes training - some basic (but very effective) Postfix directives that enforce strict standards and eliminate a huge percentage of spammers With a user-base as large as yours, Bayesian training will go a long way. You can configure Dovecot to use the Antispam plugin, which can be used to train your Bayes database in a mostly-automated way. When a user moves a message from Inbox to Junk/Spam, for example, you can train your Bayes database against the message, automatically (and vice versa, when he moves a message from Junk/Spam to Inbox). I would look into all of the above.
