In this guide you will learn how to tweak the default postfix configuration for incoming emails. In Postfix configuration you need to add or edit following directives on /etc/postfix/main.cf configuration file. All configuration directives are explained in the postfix website.

Postfix Configuration Parameters

smtpd_helo_required = yes

Require that a remote SMTP client introduces itself with the HELO or EHLO command before sending the MAIL command or other commands that require EHLO negotiation.

smtpd_delay_reject = yes

It allows Postfix to log recipient address information when rejecting a client name/address or sender address, so that it is possible to find out whose mail is being rejected.

strict_rfc821_envelopes = yes

Require that addresses received in SMTP MAIL FROM and RCPT TO commands are enclosed with >, and that those addresses do not contain RFC 822 style comments or phrases. This stops mail from poorly written software.

smtpd_recipient_restrictions

You can put the following access restrictions that the Postfix SMTP server applies in the context of the RCPT TO command:

reject_invalid_helo_hostname – Reject the request when the HELO or EHLO hostname is malformed.

warn_if_reject reject_non_fqdn_helo_hostname – Reject the request when the HELO or EHLO hostname is not in fully-qualified domain or address literal form, as required by the RFC.

warn_if_reject reject_unknown_helo_hostname – Reject the request when the HELO or EHLO hostname has no DNS A or MX record.

warn_if_reject reject_unknown_reverse_client_hostname – Reject the request when the client IP address has no address -> name mapping.

reject_non_fqdn_sender – Reject the request when the MAIL FROM address is not in fully-qualified domain form, as required by the RFC.

reject_non_fqdn_recipient – Reject the request when the RCPT TO address is not in fully-qualified domain form, as required by the RFC.

reject_unknown_sender_domain – Reject the request when Postfix is not final destination for the sender address, and the MAIL FROM domain has 1) no DNS MX and no DNS A record, or 2) a malformed MX record such as a record with a zero-length MX hostname.

reject_unknown_recipient_domain – Reject the request when Postfix is not final destination for the recipient domain, and the RCPT TO domain has 1) no DNS MX and no DNS A record or 2) a malformed MX record such as a record with a zero-length MX hostname.

Example main.cf

# See /usr/share/postfix/main.cf.dist for a commented, more complete version smtpd_banner = $myhostname ESMTP
biff = no
inet_protocols = ipv4 # appending .domain is the MUA's job.
append_dot_mydomain = no readme_directory = no # TLS parameters
smtpd_tls_cert_file=/etc/postfix/malware.expert.crt
smtpd_tls_key_file=/etc/postfix/malware.expert.key
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may # Conf
delay_warning_time = 4h
bounce_queue_lifetime = 5d
maximal_queue_lifetime = 5d
smtp_connect_timeout = 10s
smtpd_helo_required = yes #It allows Postfix to log recipient address information when rejecting a client name/address or sender address
smtpd_delay_reject = yes
strict_rfc821_envelopes = yes
message_size_limit = 50000000 # Maps to Relay & Transport (Domains and Destination routing)
relay_domains = proxy:mysql:/etc/postfix/postfix-mysql-relay_domains_maps.cf
transport_maps = proxy:mysql:/etc/postfix/postfix-mysql-transport_maps.cf # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client. myhostname = mx01.malware.expert
mydestination = $myhostname, localhost
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
relayhost =
# Which servers allowed send outgoing emails
mynetworks = 127.0.0.0/8
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all smtpd_sender_restrictions = permit_mynetworks reject_non_fqdn_sender reject_unknown_sender_domain smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination reject_invalid_helo_hostname warn_if_reject reject_non_fqdn_helo_hostname warn_if_reject reject_unknown_helo_hostname warn_if_reject reject_unknown_reverse_client_hostname reject_non_fqdn_sender reject_non_fqdn_recipient reject_unknown_sender_domain reject_unknown_recipient_domain smtpd_data_restrictions = reject_unauth_pipelining reject_multi_recipient_bounce

Conlusion

It is very important that you configure postfix installations correctly to minimise incoming spam. You can also use RBL blacklists, which effectively block spammers from infected servers.

Posted by Charlie

All Posts Website