Based on Debian 11 "Bullseye" environment.

SMTPd Restrictions

When the server is set up, there soon will be so many connection attempts before the announcement. Mostly they are malicious attempts and spam senders.

To block these kinds of connections efficiently, Postfix has built-in restriction configurations.

smtpd_*_restrictions

There are several restrictions groups - Postfix SMTP relay and access control
Here I go a bit more strict than the explanation above.

In short, the configuration below means;

  1. Permit: My networks
  2. Permit: Authenticated users
  3. Reject: Invalid domain names with helo command
  4. Reject: Invalid sender address
  5. Reject: Invalid destination domains or mail addresses
  6. Permit anything else
# Comment out existing smtpd_relay_restrictions
# (This is redefined with other restrictions in the below)
#smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination

# Restrictions
message_size_limit = 20480000
disable_vrfy_command = yes

unknown_hostname_reject_code = 554
unknown_address_reject_code = 554
unverified_sender_reject_code = 554
unverified_recipient_reject_code = 554

smtpd_helo_required = yes
strict_rfc821_envelopes = yes

mua_client_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated

mua_helo_restrictions =
    permit_mynetworks,
    reject_invalid_helo_hostname,
    reject_non_fqdn_helo_hostname,
    reject_unknown_helo_hostname

mua_sender_restrictions =
    reject_non_fqdn_sender,
    reject_unknown_sender_domain

mua_relay_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination

mua_recipient_restrictions =
    permit_mynetworks,
    reject_non_fqdn_recipient
    reject_unknown_recipient_domain
    reject_unauth_destination

mua_data_restrictions =
    reject_unauth_pipelining

smtpd_client_restrictions = $mua_client_restrictions
smtpd_helo_restrictions = $mua_helo_restrictions
smtpd_sender_restrictions = $mua_sender_restrictions
smtpd_relay_restrictions = $mua_relay_restrictions
smtpd_recipient_restrictions = $mua_recipient_restrictions
smtpd_data_restrictions = $mua_data_restrictions
  • message_size_limit: 20MB should be enough (default 10MB)
  • disable_vrfy_command: Prevent this command to be used for user scanning.
  • *_reject_code: 450 (try later) is the default. Don't want them to come back later...
  • smtpd_helo_required: Yes to make the most use of helo_restrictions.
  • strict_rfc821_envelopes: For the later installation of content filter (amavisd-new).

Reload to apply new restrictions.

# systemctl reload postfix

Watching the mail log, it seems most connections are kicked by the helo_restrictions with non-FQDN hostname. Even the restrictions above are not enough, there are more powerful restrictions such as reject_unknown_helo_hostname or reject_unverified_sender. The reason why I don't use them is the side effects that may kick out the legitimate emails.

By narrowing the spam emails as much as possible at the entrance, the content filters later will require fewer loads.

Update History

2021-09-12

  • Update to Bullseye version
  • Change the document position as a result of document order reconsideration

2021-10-23

  • Add permit_mynetworks to mua_helo_restrictions and mua_recipient_restrictions to send out mails from local applications.

Ginnojo LLC company website