当前时区为 UTC + 8 小时



发表新帖 回复这个主题  [ 2 篇帖子 ] 
作者 内容
1 楼 
 文章标题 : 基于postfix反垃圾设置
帖子发表于 : 2009-06-06 15:45 

注册: 2008-10-09 10:04
帖子: 63
送出感谢: 0 次
接收感谢: 0 次
<!--[if !ppt]--> <!--[endif]-->
[root:~]# telnet localhost 25 --------------------- (1)
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mail.example.com ESMTP Postfix
helo localhost ---------------------------------------(2)
250 mail.example.com
mail from:<t1@example.com> --------------------------(3)
250 2.1.0 Ok
rcpt to:<t2@example.com> -------------------------- -(4)
250 2.1.5 Ok
data ----------------------------------------------------(5)
354 End data with <CR><LF>.<CR><LF>
Subject:hello -------------------------------------------(6)
I am john. ------------------------------------------(7)
.
250 2.0.0 Ok: queued as 5F2B641C083
quit
221 2.0.0 Bye
Connection closed by foreign host.


(1) smtpd_client_restrictions
(2) smtpd_helo_restrictions
(3) smtpd_sender_restrictions
(4) smtpd_recipient_restrictions
(5) smtpd_data_restrictions
(6) header_checks
(7) body_checks



<!--[if !ppt]--> <!--[endif]-->
1,smtpd_helo_required = yes 必须helo/ehlo
2, smtpd_client_restrictions =
check_client_access hash:/path/to/client_access ,
//针对client的IP来做相应的动作
reject_rbl_client bl.spamcop.net,
//拒绝在rbl里面的ip地址,例如:1.2.3.4,则去查询4.3.2.1.bl.spamcop.net是否有对应的A记录
reject_rbl_client sbl-xbl.spamhaus.org,
原理一样,可以同时查询多个RBL
reject_unknown_client_hostname
//检查反解ip->name,name->ip,name=ip 拒绝没有反向DNS解析的IP发送邮件
3, smtpd_delay_reject = yes //延迟reject时间,即rcpt to:后再reject 4,smtpd_recipient_restrictions =
permit_mynetworks, //容许mynetworks中定义的私有的ip地址
permit_sasl_authenticated,// 容许通过认证的客户端进行转发
reject_non_fqdn_hostname, //拒绝helo/ehlo过来不完整的hostname
reject_non_fqdn_sender, // 拒绝不完整的发送者的域名
reject_non_fqdn_recipient, // 拒绝不完整的收件人域名
reject_unauth_destination, //拒绝不属于本域的,包括mydestination,inet_interfaces,virtual_alias_maps,virtual_mailbox_maps,relay_domain相关的网域以及子域
reject_unauth_pipelining
拒绝在没有跟服务器确认可以进行流水线操作,就进行流水线操作的客户端
reject_invalid_helo_hostname (postfix2.3)
reject_invalid_hostname (postfix<2.3)
拒绝客户端提供的无效的hostname
check_policy_service servername
check_policy_service unix:private/apolicy
在master.cf里配置
apolicy unix - n n - - spawn
user=nobody argv=/usr/lib/postfix/apolicy.py
check_policy_service inet:127.0.0.1:10030
check_policy_service unix:/some/where/policy


--------------------------------------------------------------------------------
我使用的反垃圾配置

header_checks = regexp:/etc/postfix/checks/header_checks
mime_header_checks = regexp:/etc/postfix/checks/mime_header_checks


smtpd_helo_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_invalid_hostname,
# reject_unknown_hostname,
# warn_if_reject reject_unknown_client_hostname,
# warn_if_reject reject_unknown_reverse_client_hostname,
# reject_non_fqdn_hostname,
permit

smtpd_sender_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
check_sender_access hash:/etc/postfix/my_sender_access_list,
reject_sender_login_mismatch,
reject_unknown_sender_domain,
reject_non_fqdn_sender,
reject_rhsbl_sender cblless.anti-spam.org.cn=127.0.8.5,
reject_rhsbl_sender xbl.spamhaus.org=127.0.0.4,
permit
smtpd_recipient_restrictions=
permit_mynetworks,
permit_sasl_authenticated,
reject_unknown_sender_domain,
reject_non_fqdn_sender,
reject_non_fqdn_hostname,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_unauth_destination,
reject_rbl_client cblless.anti-spam.org.cn=127.0.8.5,
reject_rbl_client xbl.spamhaus.org=127.0.0.4,
permit
#check_policy_service inet:127.0.0.1:60000
#reject_invalid_hostname,
# reject_unknown_recipient_domain,
# reject_unauth_pipelining,
# reject_maps_rbl,
# reject_rbl_client cblless.anti-spam.org.cn


------------------------------
/etc/postfix/checks/header_checks文件

# This filter is based on the work of Jeffrey Posluns <jeff@posluns.com># Filter Version 20040407-1# Please feel free to copy, use, discuss, link to, or modify this file in compliance with the rules below:# 1. These filters (or portions thereof) may not be sold or included in a package (software or otherwise) for which fees are charged.# 2. If you wish to sell or include these filters as part of a package for which fees are charged, please contact us to arrange for a redistribution license.# 3. Leave this header information intact.# 4. Do not change the SPAM-ID numbers. We use these numbers to help track false rejections.# 5. if you modify this file, indicate such on the line below, so that people can be aware that the filter is not an original version.# We use the header_checks file to remove some headers that we find undesirable.# Return receipts and software versions are the most significant in this situation.# For more information, please see http://www.posluns.com/guides/postfix_anonym.html#/^Received: from 127.0.0.1/ IGNORE/^Disposition-Notification-To:/ IGNORE# On some systems we create a custom log entry for SpamAssassin confirmed spam emails.# If you want to drop or hold these emails, change WARN to DISCARD or HOLD respectively.# You can also use the FILTER command to forward all spam to another process or account.# /^X-Spam-Flag: YES/ WARN SpamAssassin Confirmed Spam Content# These are headers used to track some spam messages./^Bel-Tracking: .*/ REJECT Confirmed spam. Go away./^Hel-Tracking: .*/ REJECT Confirmed spam. Go away./^Kel-Tracking: .*/ REJECT Confirmed spam. Go away./^BIC-Tracking: .*/ REJECT Confirmed spam. Go away./^Lid-Tracking: .*/ REJECT Confirmed spam. Go away.# Following Will Block Spams With Many Spaces In The Subject./^Subject: .* / REJECT Your subject had too many subsequent spaces. Please change the subject and try again.# Emails with eronious dates (or dates far in the past) will appear at the top or bottom of your mail client.# This is a common method that spammers use to try and get your attention on their emails.#/^Date: .* 2004/ REJECT Your computer still thinks it's 2004. Fix your system clock and try again.#/^Date: .* 2003/ REJECT Your computer still thinks it's 2003. Fix your system clock and try again./^Date: .* 200[0-4]/ REJECT Your email has a date from the past. Fix your system clock and try again./^Date: .* 19[0-9][0-9]/ REJECT Your email has a date from the past. Fix your system clock and try again.# This filter will block subjects that contain ISO specifications.# If you use any languages other than English, you might need to comment this out.# /^Subject: .*\=\?ISO/ REJECT We don't accept strange character sets.# This will block messages that do not have an address in the From: header.# Note: This may violate RFC, but blocks a very significant amount of spam. If you implement this, you risk getting listed in http://www.rfc-ignorant.org#/^From: <>/ REJECT You need to specify a return address, otherwise we will not accept your email.# Following Are Alphabetical Listings Of Subject Contents That Will Be Blocked.# Following is a listing of known mass mailer programs./^X-Mailer: 0001/ REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program./^X-Mailer: Avalanche/ REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program./^X-Mailer: Crescent Internet Tool/ REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program./^X-Mailer: DiffondiCool/ REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program./^X-Mailer: E-Mail Delivery Agent/ REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program./^X-Mailer: Emailer Platinum/ REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program./^X-Mailer: Entity/ REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program./^X-Mailer: Extractor/ REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program./^X-Mailer: Floodgate/ REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program./^X-Mailer: GOTO Software Sarbacane/ REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program./^X-Mailer: MailWorkz/ REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program./^X-Mailer: MassE-Mail/ REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program./^X-Mailer: MaxBulk.Mailer/ REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program./^X-Mailer: News Breaker Pro/ REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program./^X-Mailer: SmartMailer/ REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program./^X-Mailer: StormPort/ REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program./^X-Mailer: SuperMail-2/ REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.

/etc/postfix/checks/mime_header_checks


# This filter is the work of Jeffrey Posluns <jeff@posluns.com># Filter Version 20040504-1# Please feel free to copy, use, discuss, link to, or modify this file in compliance with the rules below:# 1. These filters (or portions thereof) may not be sold or included in a package (software or otherwise) for which fees are charged.# 2. If you wish to sell or include these filters as part of a package for which fees are charged, please contact us to arrange for a redistribution license.# 3. Leave this header information intact.# 4. Do not change the SPAM-ID numbers. We use these numbers to help track false rejections.# 5. if you modify this file, indicate such on the line below, so that people can be aware that the filter is not an original version.# This entry will reject messages with attachments that could be dangerous, and will inform the sender of what type of attachemnt was rejected./^\s*Content-(Disposition|Type).*name\s*=\s*"?(.+\.(ad[ep]|asd|ba[st]|c[ho]m|cmd|cpl|crt|dbx|dll|exe|hlp|hta|in[fs]|isp|js|jse|lnk|md[etw]|ms[cipt]|nws|ocx|ops|pcd|pi|pif|prf|reg|scf|scr|sct|sh[bms]|swf|uue|vb|vb[esx]|vxd|wab|ws[cfh]))"?\s*$/ REJECT Files attached to emails that contain or end in "$3" are prohibited on this server as they may contain viruses. The file named "$2" was rejected.# This will filter our certain types of attachments that can be considered dangerous./name=[^>]*your_details.zip/ REJECT Mail filters have determined that your email appears to be infected with the Sobig virus./^\s*Content-(Disposition|Type).*name\s*=\s*"?((Attach|Information|TextDocument|Readme|Msg|Msginfo|Document|Info|Attachedfile|Attacheddocument|TextDocument|Text|TextFile|Letter|MoreInfo|Message)\.zip)"?\s*$/ REJECT Mail filters have determined that your email appears to be infected with the Bagle virus./^\s*Content-(Disposition|Type).*name\s*=\s*"?((Patch|MS-Security|MS-UD|UpDate|sys-patch|MS-Q).*\.zip)"?\s*$/ REJECT Mail filters have determined that your email appears to be infected with the Sober virus./^\s*Content-(Disposition|Type).*name\s*=\s*"?((doc_word3_|document_all_|part01_|product_|letter_|information_|document_|details_|screensaver_|website_|data_|text_|file_|prod_info_).*\.zip)"?\s*$/ REJECT Mail filters have determined that your email appears to be infected with the Netsky virus.我的配置/etc/postfix/checks/header_checks文件:/^Date:.* 200[0-7]/ REJECT Your email has a date from the past. Fix your system clock and try again./^Date:.*19[0-9][0-9]/ REJECT Your email has a date from the past. Fix your system clock and try again./^Date:.* 2[0-9][1-9][0-9] / REJECT Your email has a error date. Fix your system clock and try again./^Date:.* 200[9] / REJECT Your email has a error date. Fix your system clock and try again.

--------------------------------------------------------------------------------

以下为转载:
Postfix最简单的anti-spam
November 18th 2007 Posted in Linux
是人都知道,我们做一个邮件服务器,肯定要做anti-spam的,那么,看了网上那么多anti-spam的教程,howto,都要用到spamassassin+amavisd-new,可是很多里面都没有或者很少提到postfix也可以做简单的anti-spam,而且它的这套,能做的更好。

ChinaVFX有自己的邮件服务器,我公司的域名也是在这边做的邮件服务器。现在的spamer都已经很强了,只要你在随便什么地方一公布邮箱,马上就会有狂多的垃圾邮件了。
我的两个邮箱,平均每天收到最少30封垃圾邮件。加起来,每天有近100封垃圾邮件发给我。。

每个邮件都有一个header(是人都知!!),在这里面,记录了这个邮件经过哪几个relay服务器,从什么client地址发出的,如果我们仔细看看,就能发现其中的问题。

现在每个邮件服务商都有自己的规则,所以通过用这些Free的,大众化的邮件服务商的邮箱来发送SPAM,已经很少了;但是自己做个邮件服务器却很简单,可以说,都不用专门的邮件服务器软件就可以疯狂群发邮件。
那么对于这种情况,可以想象,他们不可能做一个有效的域名,再去做MX,再去做一堆邮件服务器所需要的域名工作。因为他们负担不起,一旦这么搞法,这个域名最多能用几天,然后就会被全世界列入blocklist,所以他们都是用的动态IP地址。

那么动态IP地址的问题在哪?名字就说明问题了,第一,不可能有PTR记录,也就是说不能反向查找域名,第二,很有可能用动态IP地址也没有一个有效的域名,当然也不可能有一个有效的主机名。如果各位自己也有做过邮件服务器的话,可以看看自己邮箱里的SPAM,我的邮箱里的SPAM,有90%都是这种没有主机名,没有PTR的邮件服务器发过来的。

那怎么办呢?看看我的postfix的restriction

# enable some restrictions
smtpd_helo_required = yes
smtpd_delay_reject = yes
smtpd_reject_unlisted_sender = yes
smtpd_reject_unlisted_recipient = yes
smtpd_etrn_restrictions = permit_mynetworks, reject
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination,
reject_unlisted_recipient,
reject_unauth_pipelining,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
permit
smtpd_sender_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_unknown_sender_domain,
reject_non_fqdn_sender,
permit
smtpd_helo_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_invalid_hostname,
reject_unknown_hostname,
reject_unknown_client_hostname,
reject_unknown_reverse_client_hostname,
reject_non_fqdn_hostname,
permit
smtpd_data_restrictions =
reject_unauth_pipelining,
permit
下面来一行行的看看,第一行,helo,这个对于服务器来说是必须的,每个连接过来的人必须先helo,第二行,smtpd_delay_reject,这个一定要注意,它的意思是,如果指定为no,那么helo_restrictions就会在客户端发送helo命令时运行,那么在这时,就算你要sasl_auth,也是不太可能被permit,现在把它改成yes,就是让helo的限制检查推后到data开始。所以这条指令是最重要的一条了。

下面的smtpd_etrn_restrictions这个要不要都不是太重要,除非你的邮件服务器不是一直连在internet上的,这种情况可能会需要。

后面的就很明显了,作用最大的,还是在smtpd_helo_restrictions里面,这里面,我们允许sasl认证过的客户端,reject掉无效主机名的,未知主机名的(没有DNS)最重要的,如果这个客户端没在DNS里面没有PTR就REJECT掉,新浪的邮箱也是这么做的。

还有一个要说明的,就是permit_mynetworks,不重要么,好象是的,但可以肯定的说,肯定重要,因为对于自己的服务器发送的local信件,象cron的出错,等等,还有用PHP等等方式发出的邮件,都是来自于localhost,localhost显然不是一个FQDN的主机名,所以一定要加这个permit_mynetworks,另外,mynetwork,如果不指定,可能不一定会是你想要的结果,所以最好在main.cf里面的mynetworks指定为127.0.0.0/8。
注意main.cf里面mynetworks_style和mynetworks只需要指定一个,不需要两个同时指定。

好了,自从有了这些个restriction,我的邮箱干净多了。垃圾邮件从每天的几十封变成了现在的每天只有最多5封(当然,不排除有些白痴还是在用有效的域名在发SPAM)。哈哈,世界清静了!


页首
 用户资料  
 
2 楼 
 文章标题 : Re: 基于postfix反垃圾设置
帖子发表于 : 2009-06-06 17:17 
头像

注册: 2009-02-25 18:18
帖子: 2229
送出感谢: 0 次
接收感谢: 0 次
:em11


_________________
在中国搞IT的谁不知道Ctrl+C,Ctrl+V啊~


页首
 用户资料  
 
显示帖子 :  排序  
发表新帖 回复这个主题  [ 2 篇帖子 ] 

当前时区为 UTC + 8 小时


在线用户

正在浏览此版面的用户:没有注册用户 和 3 位游客


不能 在这个版面发表主题
不能 在这个版面回复主题
不能 在这个版面编辑帖子
不能 在这个版面删除帖子
不能 在这个版面提交附件

前往 :  
本站点为公益性站点,用于推广开源自由软件,由 DiaHosting VPSBudgetVM VPS 提供服务。
我们认为:软件应可免费取得,软件工具在各种语言环境下皆可使用,且不会有任何功能上的差异;
人们应有定制和修改软件的自由,且方式不受限制,只要他们自认为合适。

Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
简体中文语系由 王笑宇 翻译