I have: - Installed the server as per the Perfect Server for Debian Jessie, down to the letter. - Activated spam filter on the domain and the mailbox and chosen "Non-paying" level. - I've read the manual and made sure that all settings are correct in Postfix. - I've set the policy to move tagged mail to Junk folder. Still, the account is not getting spam e-mails tagged at all and no spam is being moved to the Junk folder. If i setup a manual filter, those e-mails are moved the the Junk folder as i have configured them. I'm not new to operating e-mail servers, but this just boggles me completely - why isn't e-mails being spam-scanned? Here is a sample header that clearly shows that amavis is scanning the emails (Domains replaced with bogus names). What more can i do? Code: Return-Path: <[email protected]> Delivered-To: [email protected] Received: from localhost (localhost [127.0.0.1]) by server1.server.com (Postfix) with ESMTP id 78F9F1E138D for <[email protected]>; Tue, 1 Nov 2016 19:24:48 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at server1.server.com Received: from server1.server.com ([127.0.0.1]) by localhost (server1.server.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id apUibnoHEipB for <[email protected]>; Tue, 1 Nov 2016 19:24:48 +0000 (UTC) Received: from cpe-75-186-155-41.cinci.res.rr.com (cpe-75-186-155-41.cinci.res.rr.com [75.186.155.41]) by server1.server.com (Postfix) with SMTP id 946EA1E136C for <[email protected]>; Tue, 1 Nov 2016 19:24:47 +0000 (UTC) Message-ID: <[email protected]> From: "Phyllis Wesley" <[email protected]> Subject: Re: 9 new ladies profiles (dating) To: [email protected] Date: Tue, 01 Nov 2016 21:56:47 +0300 Mime-Version: 1.0 Content-Type: text/html; Content-Transfer-Encoding: 7Bit Dear member of our Dating site!<br>You have 6 unread messages from ladies.<br>Please, <a href="http://sexy-dream7.top/?u=79h8kwf&o=epgkvze&t=">Check them here</a><br>Best wishes to you,<br>administrator
That header, X-Virus-Scanned, is not indicative of a spam scan. Even though amavis is the "glue" that performs both virus scans and spam scans, that header is exclusive to virus scanning. The spam-related headers would look more like this, if present: Code: X-Virus-Scanned: Debian amavisd-new at example.com X-Spam-Flag: NO X-Spam-Score: 0.82 X-Spam-Level: X-Spam-Status: No, score=0.82 tagged_above=-999 required=4.5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.105, HTML_IMAGE_RATIO_02=0.805, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_SPF_HELO_TEMPERROR=0.01] autolearn=no autolearn_force=no First, configure the effective policy to look like this: SPAM tag level -> -999 SPAM tag2 level -> 4.5 SPAM kill level -> 50 SPAM dsn cutoff level -> 0 SPAM quarantine cutoff level -> 0 SPAM modifies subject -> Yes SPAM subject tag -> SPAM subject tag2-> ***SPAM (Score: _SCORE_)*** This should force the headers to be added to each message. Do the headers demonstrated up above appear when you do this?
That's just it, they don't come up if i do this and set it on the mailbox. I've updated ISPConfig twice now and each time i chose to re-configure services. Kind of expecting it to set the spam configuration correctly. This is a clean install since ISPConfig 3.0 beta, now running 3.1 stable.
Can you please post the contents of /etc/amavis/conf.d/50-user to pastebin.com or similar? Even here would work, as long as you wrap it in appropriate pre-formatting (code) tags. Having installed ISPConfig probably 50 times on different servers (all Ubuntu), using the Perfect Server tutorial series as a guide, I can say that amavis usually works as expected out-of-the-box, so something else is likely amiss with your configuration.
Code: cat /etc/amavis/conf.d/50-user use strict; # # Place your configuration directives here. They will override those in # earlier files. # # See /usr/share/doc/amavisd-new/ for documentation and examples of # the directives you can use in this file # @bypass_virus_checks_maps = ( \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re); @bypass_spam_checks_maps = ( \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re); # # Database connection settings # @lookup_sql_dsn = ( ['DBI:mysql:database=dbispconfig;host=127.0.0.1;port=3306', 'ispconfig', '47d204e259fc433502cf4685235659a4'] ); # @storage_sql_dsn = @lookup_sql_dsn; # none, same, or separate database #$sql_select_policy = 'SELECT "Y" as local FROM mail_domain WHERE CONCAT("@",domain) IN (%k)'; # $banned_files_quarantine_method = 'sql'; # $spam_quarantine_method = 'sql'; # # SQL Select statements # $sql_select_policy = 'SELECT *,spamfilter_users.id'. ' FROM spamfilter_users LEFT JOIN spamfilter_policy ON spamfilter_users.policy_id=spamfilter_policy.id'. ' WHERE spamfilter_users.email IN (%k) ORDER BY spamfilter_users.priority DESC'; $sql_select_white_black_list = 'SELECT wb FROM spamfilter_wblist'. ' WHERE (spamfilter_wblist.rid=?) AND (spamfilter_wblist.email IN (%k)) AND (spamfilter_wblist.active="y")' . ' ORDER BY spamfilter_wblist.priority DESC'; # # Quarantine settings # $final_virus_destiny = D_BOUNCE; $final_spam_destiny = D_DISCARD; $final_banned_destiny = D_BOUNCE; $final_bad_header_destiny = D_PASS; # Default settings, we st this very high to not filter aut emails accidently $sa_spam_subject_tag = '***SPAM*** '; $sa_tag_level_deflt = 20.0; # add spam info headers if at, or above that level $sa_tag2_level_deflt = 60.0; # add 'spam detected' headers at that level $sa_kill_level_deflt = 60.0; # triggers spam evasive actions $sa_dsn_cutoff_level = 100; # spam level beyond which a DSN is not sent # # Disable spam and virus notifications for the admin user. # Can be overridden by the policies in mysql # $virus_admin = undef; $spam_admin = undef; # # Enable Logging # $DO_SYSLOG = 1; $LOGFILE = "/var/log/amavis.log"; # (defaults to empty, no log) # Set the log_level to 5 for debugging $log_level = 0; # (defaults to 0) $inet_socket_port = [10024,10026]; # :* = send to incoming Port + 1 $forward_method = 'smtp:127.0.0.1:*'; $notify_method = 'smtp:127.0.0.1:*'; $interface_policy{'10026'} = 'ORIGINATING'; $policy_bank{'ORIGINATING'} = { originating => 1, smtpd_discard_ehlo_keywords => ['8BITMIME'], }; # IP-Addresses for internal networks => load policy MYNETS # - requires -o smtp_send_xforward_command=yes in postfix master.cf @mynetworks = qw(0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 [::1] [FE80::]/10 [FEC0::]/10); # Allow SMTP access from IPs in @inet_acl to amvisd SMTP Port @inet_acl = qw( 127.0.0.1 [::1] 192.168.0.0/16 ); # DKIM $enable_dkim_verification = 1; $enable_dkim_signing = 1; # load DKIM signing code $signed_header_fields{'received'} = 0; # turn off signing of Received @dkim_signature_options_bysender_maps = ( { '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } ); #------------ Do not modify anything below this line ------------- 1; # insure a defined return If i try to restart amavis i get this: service clamav restart Failed to restart clamav.service: Unit clamav.service failed to load: No such file or directory. No errors in the logs at all. It is running, however: ps -U clamav PID TTY TIME CMD 736 ? 00:00:00 freshclam 858 ? 00:00:13 clamd
Okay, that configuration file looks good. Mine is identical, excepting the password, of course. (You may want to scrub the password from the @lookup_sql_dsn value, especially if this is a production system, just so somebody malicious doesn't see it; sorry, I should have thought to mention that.) Odd that you can't restart amavis due to the clamav issue. Did you in fact install clamav? What does this return (executed as root)? Code: # systemctl status clamav-daemon For that matter, what does this return? Code: # systemctl status amavis
Don't worry, I changed the password before posting - can't be too careful Code: systemctl status clamav-daemon ● clamav-daemon.service - Clam AntiVirus userspace daemon Loaded: loaded (/lib/systemd/system/clamav-daemon.service; enabled) Active: active (running) since Thu 2016-11-03 17:47:24 UTC; 12min ago Docs: man:clamd(8) man:clamd.conf(5) http://www.clamav.net/lang/en/doc/ Main PID: 858 (clamd) CGroup: /system.slice/clamav-daemon.service └─858 /usr/sbin/clamd --foreground=true Nov 03 17:45:59 server1 clamd[858]: Portable Executable support enabled. Nov 03 17:45:59 server1 clamd[858]: ELF support enabled. Nov 03 17:45:59 server1 clamd[858]: Mail files support enabled. Nov 03 17:45:59 server1 clamd[858]: OLE2 support enabled. Nov 03 17:45:59 server1 clamd[858]: PDF support enabled. Nov 03 17:45:59 server1 clamd[858]: SWF support enabled. Nov 03 17:45:59 server1 clamd[858]: HTML support enabled. Nov 03 17:45:59 server1 clamd[858]: XMLDOCS support enabled. Nov 03 17:45:59 server1 clamd[858]: HWP3 support enabled. Nov 03 17:45:59 server1 clamd[858]: Self checking every 3600 seconds. Code: systemctl status amavis ● amavis.service - LSB: Starts amavisd-new mailfilter Loaded: loaded (/etc/init.d/amavis) Active: active (running) since Thu 2016-11-03 19:06:48 UTC; 1h 6min left CGroup: /system.slice/amavis.service ├─1847 /usr/sbin/amavisd-new (master) ├─1986 /usr/sbin/amavisd-new (ch1-avail) └─1987 /usr/sbin/amavisd-new (ch2-avail) Nov 03 19:06:48 server1 amavis[1847]: No decoder for .rar Nov 03 19:06:48 server1 amavis[1847]: No decoder for .rpm Nov 03 19:06:48 server1 amavis[1847]: No decoder for .swf Nov 03 19:06:48 server1 amavis[1847]: Using primary internal av scanner code for ClamAV-clamd Nov 03 19:06:48 server1 amavis[1847]: Found secondary av scanner ClamAV-clamscan at /usr/bin/clamscan Nov 03 19:06:48 server1 amavis[1847]: Deleting db files __db.003,nanny.db,__db.002,snmp.db,__db.001 in /var/lib/amavis/db Nov 03 19:06:48 server1 amavis[1847]: Creating db in /var/lib/amavis/db/; BerkeleyDB 0.54, libdb 5.3 Nov 03 17:46:04 server1 amavis[1987]: (01987-01) Passed CLEAN {RelayedInbound}, [91.230.171.73]:21256 [91.230.171.73] <[email protected]> -> <svetlan... Nov 03 17:46:35 server1 amavis[1986]: (01986-01) Passed CLEAN {RelayedInbound}, [45.59.120.172]:35768 [45.59.120.172] <[email protected]> -> ... Nov 03 17:50:39 server1 amavis[1987]: (01987-02) Passed CLEAN {RelayedInbound}, [160.20.15.82]:38405 [160.20.15.82] <[email protected]> -> <stefan@ssrab.... Hint: Some lines were ellipsized, use -l to show in full. Like i wrote, I'm completely boggled by this!
That all looks okay to me. Let's double-check the configuration in the ISPConfig interface. There are several places that affect the spam-scanning behavior: 1.) Email -> Domain -> example.com -> spamfilter What's selected here for the domain in question? 2.) Email -> Email Mailbox -> [email protected] -> Mailbox (tab) -> Spamfilter What's selected there for the mailbox in question? 3.) Email -> Spamfilter > User / Domain (left-nav) Do the values here look reasonable? You should see one entry for the mail domain (with Priority 5), and one entry for the specific user's mailbox (with Priority 10). A screenshot would be ideal.
1. All Tags (The one that tags all mail) 2. All Tags (The one that tags all mail) 3. Screenshot(s) attached.
I finally found it - in Spamfilter -> User/Domain -> There was two entries with the same user and domain for the account that isn't working - i removed one of them and then it started working again. Why is double entries even allowed if it causes it to not work at all?
Glad to see it resolved! As to why it's even possible to create two entries with the same user and the same domain there, that is an excellent question. Unfortunately, I don't know the answer. If you're willing to spend the time with it, you might be able to arrive at an answer by analyzing the queries in that file from earlier, /etc/amavis/conf.d/50-user. You may be able to execute some of the queries in there manually and determine what was happening when you had duplicate entries present. Maybe the results were being discarded if more than one row was returned, or something like that. If after that you suspect a bug, I would open a report at https://git.ispconfig.org/ispconfig/ispconfig3/issues . Also, the most effective method I've found for combating spam is to do so right at the Postfix layer. Something like this, in /etc/postfix/main.cf: Code: #Default: #smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_rbl_client zen.spamhaus.org, check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf reject_sender_login_mismatch, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, check_policy_service unix:private/policy-spf, reject_rbl_client zen.spamhaus.org, reject_rhsbl_helo dbl.spamhaus.org, reject_rhsbl_sender dbl.spamhaus.org, reject_rbl_client bl.spamcop.net And the following at the bottom of the file: Code: # Required to fully enforce the "reject_invalid_helo_hostname" or # "reject_non_fqdn_helo_hostname" restriction (without "smtpd_helo_required = yes", # a client can simply skip either restriction by not sending HELO or EHLO). smtpd_helo_required = yes # Don't talk to mail systems that don't know their own hostname. smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, check_client_access mysql:/etc/postfix/mysql-virtual_client.cf, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname # Block clients that speak too early. smtpd_data_restrictions = reject_unauth_pipelining # Reject non-replyable sender addresses, like @yahoo.com and ""@yahoo.com, straight away. strict_rfc821_envelopes = yes # This option is enabled by default, but it is important enough to be set explicitly. # Several directives (such as smtpd_helo_restrictions) are effective only when this directive is set to "yes". smtpd_delay_reject = yes policy-spf_time_limit = 3600s postscreen_greet_action = enforce You may have to tailor that list slightly, or ensure that you have all of the requisites installed, to avoid invalid configuration errors in Postfix. In short, you'd need the pyzor, razor2, postfix-policyd-spf-python, postscreen, and postgrey packages. Happy to provide further guidance if it's of interest to you.
Thanks a million for the kind help, I'll try adding on the settings you suggest as well! If there's additional settings to using postscreen or postgrey, I'd be interested - We already added Pyzor since we use that on another server. Here is how to enable razor and pyzor: Most people don't think spam-assassin configuration is not used when amavis is used - but it is, pyzor need to be enabled in /etc/spamassassin/local.cf Note: This is usually added by default, so shouldn't nee to be added! Code: # Enable or disable network checks skip_rbl_checks 0 use_razor2 1 use_dcc 1 use_pyzor 1 You need to register with an identity to the razor network: Code: su - amavis -s /bin/bash razor-admin -create razor-admin -register pyzor discover exit And port 2703 need to be open. You can check if pyzor is running with: Code: echo "test" | spamassassin -D pyzor 2>&1 | less
You are very welcome! Happy to help you! This is excellent information here, in your previous post. The only corrections/additions I would offer are in regard to more specific firewall requirements, and how best to test pyzor and razor2. The easiest way to do this might be with some comments that one could add to /etc/spamassassin/local.cf: Code: # Ensure that Real-Time Blacklist checking is enabled. skip_rbl_checks 0 # pyzor # Be sure to allow OUTGOING port 24441 UDP on firewall! # Be sure to allow INCOMING port 24441 TCP on firewall! use_pyzor 1 pyzor_path /usr/bin/pyzor add_header all Pyzor _PYZOR_ # Increase timeout to prevent failure; see http://atomicorp.com/forums/viewtopic.php?f=4&t=5457 pyzor_timeout 20 # razor2 # Be sure to allow OUTGOING port 2703 TCP on firewall! use_razor2 1 razor_config /etc/razor/razor-agent.conf I should note that because most firewalls are configured to allow all outbound traffic, opening the outbound ports that pyzor and razor2 use, explicitly, is usually unnecessary. In other words, in most firewall configurations, it is necessary only to open inbound port 24441 UDP for pyzor to work. With regard to testing pyzor, it is more useful to pass a well-formed email message (per RFC-822) than the string "test", because the log output will say something like Code: dbg: pyzor: check failed: no response which is confusing (and misleading, because pyzor is, in fact, working). It would be better to use the GTUBE (Generic Test for Unsolicited Bulk Email) file. Code: # su - amavis $ wget https://spamassassin.apache.org/gtube/gtube.txt $ spamassassin -D pyzor 2>&1 < ./gtube.txt in which case that line changes to Code: dbg: pyzor: got response: public.pyzor.org:24441 (200, 'OK') 0 3 pyzor will report that the result is "X-Spam-Pyzor: Whitelisted", because the message is originating from localhost, but this method serves the purpose at hand. Testing razor2 is similar: Code: # su - amavis $ razor-check -d < ./gtube.txt This will almost certainly result in "No queries, no spam", because the gtube.txt message is unlikely to generate a hit with razor2, but the other output demonstrates that razor2 is working. I'll follow-up regarding postscreen and postgrey in a separate post, so as to stay organized.
Regarding Postscreen and Postgrey, have a peek at the official tutorial for Hardening Postfix: https://www.howtoforge.com/hardening-postfix-for-ispconfig-3 Based on that tutorial and other tips/tricks I've learned over the years, I've created this synthesized "How To" that I use every time that I deploy a mail stack. (Looks like I have to split it up into two posts, due to a length restriction.) Reverse DNS (rDNS / PTR record) Many mail-related functions require a proper reverse-DNS record. Ensure that the correct domains are mapped to the server's IP address in the relevant DNS setup. Validate it with a tool like http://mxtoolbox.com . SPF (Sender Policy Framework) DNS Record Most mail systems reject mail from systems that for which a proper SPF DNS record does not exist. Before proceeding, ensure that a valid SPF record exists for the IP address in question.Again, use http://mxtoolbox.com or similar to validate the SPF record. Enhance Postfix Functionality Add the following directives to the end of /etc/postfix/main.cf: Code: # Required to fully enforce the "reject_invalid_helo_hostname" or # "reject_non_fqdn_helo_hostname" restriction (without "smtpd_helo_required = yes", # a client can simply skip either restriction by not sending HELO or EHLO). smtpd_helo_required = yes # Don't talk to mail systems that don't know their own hostname. smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, check_client_access mysql:/etc/postfix/mysql-virtual_client.cf, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname # Block clients that speak too early. smtpd_data_restrictions = reject_unauth_pipelining # Reject non-replyable sender addresses, like @yahoo.com and ""@yahoo.com, straight away. strict_rfc821_envelopes = yes # This option is enabled by default, but it is important enough to be set explicitly. # Several directives (such as smtpd_helo_restrictions) are effective only when this directive is set to "yes". smtpd_delay_reject = yes Installing Pyzor and Razor2 Code: # apt-get install pyzor razor Place the following directives near the bottom of /etc/spamassassin/local.cf: Code: #pyzor # Be sure to allow port 24441 TCP on firewall! use_pyzor 1 pyzor_path /usr/bin/pyzor add_header all Pyzor _PYZOR_ # Increase timeout to prevent failure; see http://atomicorp.com/forums/viewtopic.php?f=4&t=5457 pyzor_timeout 20 #razor use_razor2 1 razor_config /etc/razor/razor-agent.conf Ensure that the Pyzor and Razor plug-in lines are un-commented in /etc/spamassassin/v310.pre: Code: # Pyzor - perform Pyzor message checks. # loadplugin Mail::SpamAssassin::plugin::pyzor # Razor2 - perform Razor2 message checks. # loadplugin Mail::SpamAssassin::plugin::Razor2 Update Pyzor's server list: Code: # pyzor discover smtpd Client Restrictions NOTE: As of ISPConfig 3.1, I'm not sure that this is necessary anymore. We should confirm! -2016.08.16 Update the smtpd_client_restrictions directive so that it rejects unwanted connections at the MTA level: Code: smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_client_hostname, check_client_access mysql:/etc/postfix/mysql-virtual_client.cf smtpd Recipient Restrictions Update the smtpd_recipient_restrictions directive so that it rejects unwanted mail at the MTA level: Default value: Code: smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination Hardened value: IMPORTANT: Notice that the reject_unauth_destination value has been placed before check_recipient_access. Although this is not the default in some Linux distributions (including Debian and Ubuntu), this is crucial measure in preventing unexpected open-relay problems. See Postfix author's comments at http://comments.gmane.org/gmane.mail.postfix.user/237214 . Code: smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_sender_login_mismatch, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain (continued...)
Checking SPF Records for Incoming Mail Code: # apt-get install postfix-policyd-spf-python Add to /etc/postfix/main.cf: Code: policy-spf_time_limit = 3600s Add Code: check_policy_service unix:private/policy-spf to the end of smtpd_recipient_restrictions. Add to the end of /etc/postfix/master.cf: Code: policy-spf unix - n n - - spawn user=nobody argv=/usr/bin/policyd-spf Reload Postfix: Code: # service postfix reload Grey-listing with Postgrey NOTE: It seems as though ISPConfig 3.1 and later configure Postgrey automatically. This should be double-checked. -2016.08.16 NOTE 2: In Ubuntu 16, and whichever version of Postfix comes with it, it looks like the directive has changed: Code: greylisting = check_policy_service inet:127.0.0.1:10023 ISPConfig seems to install the Postgrey package(s) and add this line. (I don't recall doing it manually!) Code: # apt-get install postgrey The configuration options are in /etc/default/postgrey. For IPv4 interfaces, add check_policy_service inet:127.0.0.1:10023 to the end of smtpd_recipient_restrictions in /etc/postfix/main.cf. For IPv6 interfaces, add check_policy_service inet:[::1]:10023 to the end of smtpd_recipient_restrictions in /etc/postfix/main.cf. Optionally, create the the following two files, in which any custom whitelist rules can be stored (one hostname per line): Code: # touch /etc/postgrey/whitelist_clients.local # touch /etc/postgrey/whitelist_recipients.local Reload Postfix: Code: # service postfix reload DNS Black-Lists Building upon the previous examples, here we add MTA-level, real-time black-list checks. These checks should always be performed last, as they are the most "expensive" with respect to time and resource consumption. Code: smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_sender_login_mismatch, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, check_policy_service unix:private/policy-spf, check_policy_service inet:127.0.0.1:10023, reject_rbl_client zen.spamhaus.org, reject_rhsbl_helo dbl.spamhaus.org, reject_rhsbl_sender dbl.spamhaus.org, reject_rbl_client bl.spamcop.net Minimizing Resource Consumption with PostScreen Add to /etc/postfix/main.cf: Code: postscreen_greet_action = enforce Next, make /etc/postfix/master.cf reflect the following (these directives may already exist; just uncomment them if so). Be sure that the line smtp inet ... smtpd, including any parameter, is commented-out; any parameters that were present previously must be moved to the new smtpd service. Code: # Postfix master process configuration file. For details on the format # of the file, see the master(5) manual page (command: "man 5 master"). # # Do not forget to execute "postfix reload" after editing this file. # # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ========================================================================== #smtp inet n - - - - smtpd # -o ... smtpd pass - - n - - smtpd -o ... # Parameters moved from smtp service to the new smtpd service.(if any) smtp inet n - n - 1 postscreen tlsproxy unix - - n - 0 tlsproxy dnsblog unix - - n - 0 dnsblog Enabling Submission Port (587) Un-comment the following lines to enable the Submission port (587), which is required only for offering STARTTLS on a non-standard port (that is, a port other than 25): Code: submission inet n - - - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING Reload Postfix: Code: # service postfix reload Enabling SSL/TLS Port (465) Note: This port's use has been deprecated; it should be opened and enabled only if legacy support is required. The Submission Port (587) should be used instead. For more information, see: http://stackoverflow.com/questions/15796530/what-is-the-difference-between-ports-465-and-587 Uncomment the following lines to enable the SSL/TLS port (465), which is required for SSL/TLS (not to be confused with STARTTLS): Code: smtps inet n - - - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING Reload Postfix: Code: # service postfix reload References http://www.howtoforge.com/hardening-postfix-for-ispconfig-3