Fighting againts SPAM – postfwd

Postfwd is Postfix firewall daemon.
Here is my config, which is based on postfwd example config, but I have included various rate limits. It has been used with postfwd version 1.20 on VNET mailservers.


# Whitelists (no limits)
&&VNET_WHITELIST { \
        client_address=127.0.0.1 ; \
        client_address=10.0.0.0/8 ; \
        client_address=81.89.63.68 ; \
        client_address=81.89.63.69 ; \
	client_address=217.73.28.0/24 ; \
	client_address=81.89.63.129 ; \
	client_address=109.74.151.0/27; \
	client_address=217.73.22.212 ; \
	client_address=81.89.54.210 ; \
	client_address=217.73.20.194 ; \
};

# VNET IP & other trusted IP
&&TRUSTED_IP { \
        &&VNET_WHITELIST ; \
	client_address=192.168.0.0/16 ; \
        client_address=217.73.16.0/20 ; \
        client_address=81.89.48.0/20 ; \
        client_address=93.184.64.0/20; \
        client_address=94.229.32.0/20 ; \
        client_address=195.168.239.101 ; \
        client_address=109.74.144.0/20 ; \
	client_address=46.229.224.0/20; \
        client_address=81.89.48.0/20 ; \
        client_address=195.168.239.101 ; \
        client_address=62.152.232.0/24 ; \
        client_address=62.152.233.0/24 ; \
        client_address=213.215.69.0/24 ; \
        client_address=217.145.194.149 ; \
        client_address=217.145.194.179 ; \
        client_address=62.168.97.6 ; \
        client_address=84.47.7.40 ; \
        client_address=85.216.210.35 ; \
        client_address=85.248.16.250 ; \
        client_address=212.5.200.61 ; \
        client_address=84.245.69.41 ; \
        client_address=85.216.175.124 ; \
	client_address=109.74.151.0/27; \
	client_address=217.73.21.252 ; \
 	client_address=109.74.144.0/24 ; \
	client_address=109.74.146.0/24 ; \
	client_address=90.183.38.0/24 ; \
	client_address=213.81.152.0/24 ; \
	client_address=195.210.28.15 ; \
	client_address=195.210.28.16 ; \
	client_address=188.123.97.67 ; \
	client_address=81.0.237.21 ; \
};


# Whitelist domain example
#&&WHITELIST_DOMAINS { \
#	recipient_domain=lamicro.co.uk ; \
#};

&&STATIC { \
        client_name~=[\.\-]static[[\.\-] ;               \
        client_name~=^(mail|smtp|mout|mx)[\-]*[0-9]*\. ; \
};

&&DNSWLS { \
        rbl=list.dnswl.org ;                                             \
        rbl=exemptions.ahbl.org ;                                        \
        rbl=hostkarma.junkemailfilter.com/^127\.0\.0\.1$/3600 ;          \
        rhsbl_client=hostkarma.junkemailfilter.com/^127\.0\.0\.1$/3600 ; \
};


# Spamchecks
&&BADHELO { \
	client_name==!!($$(helo_name)) ; \
};

&&DYNAMIC { \
        client_name==unknown ;   \
        client_name~=(\-.+){4} ; \
        client_name~=\d{5} ;     \
        client_name~=[_\.\-]([axt]{0,1}dsl|br(e|oa)dband|ppp|pppoe|dynamic|dynip|ADSL|dial(up|in)|pool|dhcp|leased)[_\.\-] ; \
};
&&DNSBLS { \
        rbl=zen.spamhaus.org ;     \
        rbl=bl.spamcop.net ;       \
        rbl=ix.dnsbl.manitu.net ;  \
        rhsbl=rddn.dnsbl.net.au ;  \
        rhsbl=rhsbl.ahbl.org ;     \
        rhsbl=rhsbl.sorbs.net ;    \
};

# GEOIP SK/CZ check
&&SK_CZ_IP { \
       rbl=sk.countries.nerd.dk ; \
       rbl=cz.countries.nerd.dk ; \
};

# stress-friendly behaviour (will not match on postfix version pre 2.5)
id=STRESS    ;  stress==yes        ;  action=dunno

# Apply Whitelists
id=WL_001    ;  &&VNET_WHITELIST     ;  action=dunno

#id=WL_002   ;  &&WHITELIST_DOMAINS;  action=dunno

# DNS Whitelist (DNSWL)
id=RWL_001  ;  &&DNSWLS      ;  rhsblcount=all ; rblcount=all ; \
         action=set(HIT_dnswls=$$rhsblcount,HIT_dnswls+=$$rblcount,DSWL_text=$$dnsbltext)
id=RWL_002  ;  HIT_dnswls>=2 ; \
         action=PREPEND X-DNSWL: Listed in $$DSWL_text
id=RWL_003  ;  HIT_dnswls>=1 ; &&STATIC ; \
         action=PREPEND X-DNSWL: Listed in $$DSWL_text
id=RWL_004  ;  HIT_dnswls>=1 ; $$client_name~=$$(sender_domain)$ ; \
         action=PREPEND X-DNSWL: Listed in $$DSWL_text

# DNSBL checks - lookup
id=RBL_001         ;  &&DNSBLS    ;  rhsblcount=all ; rblcount=all ; \
         action=set(HIT_dnsbls=$$rhsblcount,HIT_dnsbls+=$$rblcount,DSBL_text=$$dnsbltext)

# Clear blacklist hits for for TRUSTED ranges
id=RWL_TRUSTED     ; &&TRUSTED_IP ; \
         action=set(HIT_dnsbls=0)

# TRUSTED IP EVAL
id=EVAL_TRUSTED_01 ; action=set(HIT_trusted=0)
id=EVAL_TRUSTED_02 ; action=set(HIT_trusted=1) ; &&TRUSTED_IP;

# SASL 
id=EVAL_SASL_01    ; action=set(HIT_sasl=0) ;
id=EVAL_SASL_02    ; action=set(HIT_sasl=1) ; sasl_method =~ (LOGIN|PLAIN)

# DNSBL checks - evaluation for unauthenticated clients
id=RBL_002        ;  HIT_dnsbls>=2 ; HIT_sasl =!! 1 ; \
          action=REJECT blocked, $$DSBL_text
id=RBL_002        ;  HIT_dnsbls>=1 ; HIT_sasl =!! 1 ; &&DYNAMIC ; \
         action=REJECT blocked, $$DSBL_text and $$client_name looks like dynamic IP
id=RBL_004        ;  HIT_dnsbls>=1 ; HIT_sasl =!! 1 ; &&BADHELO ; \
         action=REJECT blocked, $$DSBL_text and $$helo_name does not match $$client_name

# GEOIP DNSBL check - lookup - we will not block, just use it for various rate limits
id=RBL_GEO_000    ;  action=set(HIT_SK_CZ=0)
id=RBL_GEO_001    ;  &&SK_CZ_IP ; rblcount=all ; action=set(HIT_SK_CZ=$$rblcount)

# Rate limits
# TRUSTED_IP and SASL authorized
id=RATE_TRUSTED_SASL_01 ; HIT_trusted>=1 ; HIT_sasl>=1 ; \
         action=rate($$client_address/300/60/450 4.1.1 too many connections from your ip address)

id=RATE_TRUSTED_SASL_02 ; HIT_trusted>=1 ; HIT_sasl>=1 ; \
         action=rate($$sender/1500/300/450 4.1.2 max 1500 mails per 5 minutes )

# TRUSTED_IP and not SASL authorized
id=RATE_TRUSTED_01 ; HIT_trusted>=1 ; HIT_sasl =!! 1 ; \
         action=rate($$client_address/300/300/450 4.2.1 too many connections from your ip address. Try to use SMTP auth - Prilis vela spojeni z vasej ip adresy. Skuste pouzit SMTP autentifikaciu https://mail.vnet.sk/nastavenie-smtp-autentifikacie/)

id=RATE_TRUSTED_02 ; HIT_trusted>=1 ; HIT_sasl =!! 1 ; \
         action=rate($$sender/3000/3600/450 4.2.2 reached limit 3000 mails per hour from your ip address. Try to use SMTP auth - Dosiahli ste limit 3000 mailov z vasej IP. Skuste pouzit SMTP autentifikaciu https://mail.vnet.sk/nastavenie-smtp-autentifikacie/)

id=RATE_TRUSTED_03 ; HIT_trusted>=1 ; HIT_sasl =!! 1 ; \
         action=rate($$helo_name/300/300/450 4.2.3 reached limit 300 mails per 5 minutes from your ip address. Try to use SMTP auth - Dosiahli ste limit 300 mailov z vasej IP adresy. Skuste pouzit SMTP autentifikaciu https://mail.vnet.sk/nastavenie-smtp-autentifikacie/)

# SASL authorized users outside SK & CZ (except webmail)
# Just generic reason for rejection, to consfuse spammers
id=RATE_SASL_01 ; client_address != 127.0.0.100 ; HIT_SK_CZ==0 ; HIT_sasl>=1 ; \
         action=rate($$client_address/60/60/450 4.3.1 Policy rejection )

id=RATE_SASL_02 ; client_address != 127.0.0.100 ; HIT_SK_CZ==0 ; HIT_sasl>=1 ; \
         action=rate($$sender/100/300/450 4.3.2 Policy rejection )

id=RATE_SASL_03 ; client_address != 127.0.0.100 ; HIT_SK_CZ==0 ; HIT_sasl>=1 ; \
         action=rate($$sasl_username/100/300/450 4.3.3 Policy rejection )

id=RATE_SASL_04 ; HIT_SK_CZ==0 ; HIT_sasl>=1 ; \
         action=rate($$sasl_username/500/3600/450 4.3.4 Policy rejection )

# SASL authorized users from SK & CZ
id=RATE_SASL_05 ; HIT_trusted =!! 1 ; HIT_SK_CZ>=1 ; HIT_sasl>=1 ; \
         action=rate($$client_address/333/300/450 4.4.1 Policy rejection )

id=RATE_SASL_06 ; HIT_trusted =!! 1; HIT_SK_CZ>=1 ; HIT_sasl>=1 ; \
         action=rate($$sender/1500/300/450 4.4.2 Policy rejection )

id=RATE_SASL_07 ; HIT_trusted =!! 1; HIT_SK_CZ>=1 ; HIT_sasl>=1 ; \
         action=rate($$sasl_username/333/300/450 4.4.3 Policy rejection )

id=RATE_SASL_08 ; HIT_trusted =!! 1; HIT_SK_CZ>=1 ; HIT_sasl>=1 ; \
         action=rate($$sasl_username/5000/3600/450 4.4.4 Policy rejection )

# Webmail users (they are SASL authorized and connects from 127.0.0.100)
id=RATE_WEBMAIL_01 ; client_address=127.0.0.100 ; \
         action=rate($$sender/300/300/450 4.5.1 Policy rejection - Dosiahnuty limit poctu odosielanych sprav alebo adresatov)

id=RATE_WEBMAIL_02 ; client_address=127.0.0.100 ; \
         action=rate($$sender/1000/3600/450 4.5.2 Policy rejection - Dosiahnuty limit poctu odosielanych sprav alebo adresatov)

id=RATE_WEBMAIL_03 ; client_address=127.0.0.100 ; \
         action=rate($$sender/2000/28800/450 4.5.3 Policy rejection - Dosiahnuty limit poctu odosielanych sprav alebo adresatov)

id=RATE_WEBMAIL_04 ; client_address=127.0.0.100 ; \
         action=rate($$sasl_username/300/300/450 4.5.4 Policy rejection - Dosiahnuty limit poctu odosielanych sprav alebo adresatov)

# Default rate limit
id=RATE_DEFAULT_01 ; HIT_trusted =!! 1 ; HIT_sasl =!! 1 ; \
        action=rate($$client_address/300/300/450 4.9.1 too many connections from your ip address )

id=RATE_DEFAULT_02 ; HIT_trusted =!! 1 ; HIT_sasl =!! 1 ; \
        action=rate($$sender/300/300/450 4.9.2 service temporarily unavailable )

id=FAKE_VNET ;       HIT_trusted =!! 1 ; HIT_sasl =!! 1 ; sender_domain~=(vnet.sk|vnet.eu) ; \
        action=REJECT IP $$client_address is not authorized to send emails from domain $$sender_domain without SMTP authentication - IP adresa $$client_address nie je povolena na odosielanie emailov z domeny $$sender_domain bez SMTP autentifikacie - https://mail.vnet.sk/nastavenie-smtp-autentifikacie/

# Selective greylisting
id=GREY_000 ;  action=dunno        ;  HIT_sasl>=1
id=GREY_001 ;  action=dunno        ;  &&TRUSTED_IP
id=GREY_002 ;  action=dunno        ;  &&STATIC
id=GREY_003 ;  action=dunno        ;  $$client_name~=$$(sender_domain)$
id=GREY_004 ;  action=dunno        ;  HIT_dnswls>=1
id=GREY_005 ;  action=greylisting  ;  &&DYNAMIC
id=GREY_006 ;  action=greylisting  ;  HIT_dnsbls>=1

# specialne blokovania 
id=IMOS; action=REJECT; recipient_domain~=imos.sk ; sender_domain~=unitravel.sk


One thought on “Fighting againts SPAM – postfwd

  1. Hello iwik,
    or you are convinced, that rules of &&TRUSTED_IP are carried out completely?

    I have a rule:
    id=SET_DNSWL1
    client_address!=5.32.136.0/21
    client_address!=5.102.176.0/21
    client_address!=5.157.72.0/21
    client_address!=5.249.176.0/20
    client_address!=31.7.192.0/19
    client_address!=31.15.128.0/17
    client_address!=37.18.224.0/20
    client_address!=37.19.64.0/21
    client_address!=46.19.8.0/21
    client_address!=46.23.0.0/20
    client_address!=46.54.128.0/17
    client_address!=46.122.0.0/15
    client_address!=46.163.0.0/18
    client_address!=46.164.0.0/18
    client_name=^unknown$
    action=REJECT Blocked – Your IP has no corresponding reverse (PTR) address. Ask your Internet Service Provider to assign you IP with valid reverse (PTR) record.

    Type cidr checks only a half or less of the list of IP and then stops. I wonder why it doens’t check all IP adresses on tle list.

    Postfwd debug mode say:


    [DNS] dnsccache: item=gmail.com, type=MX -> gmail-smtp-in.l.google.com,alt1.gmail-smtp-in.l.google.com,alt2.gmail-smtp-in.l.google.com,alt3.gmail-smtp-in.l.google.com,alt4.gmail-smtp-in.l.google.com (ttl: 1020)
    [DNS] dnsccache: item=gmail-smtp-in.l.google.com, type=A -> 173.194.65.27 (ttl: 293)
    [DNS] dnsccache: item=alt1.gmail-smtp-in.l.google.com, type=A -> 74.125.130.27 (ttl: 293)
    [DNS] dnsccache: item=alt2.gmail-smtp-in.l.google.com, type=A -> 74.125.203.27 (ttl: 293)
    [DNS] dnsccache: item=alt3.gmail-smtp-in.l.google.com, type=A -> 74.125.31.27 (ttl: 293)
    [DNS] dnsccache: item=alt4.gmail-smtp-in.l.google.com, type=A -> 74.125.25.27 (ttl: 293)
    Aug 30 17:12:14 mail postfwd2/policy[21130]: type sender_mx_addrs : “173.194.65.27,74.125.130.27,74.125.203.27,74.125.31.27,74.125.25.27” “=” “46.23.0.0/20″
    type cidr : “173.194.65.27” “=” “46.23.0.0/20″
    type cidr : “74.125.130.27” “=” “46.23.0.0/20″
    child said ‘CMD=CN;TYPE=request=1///interval=1?’

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>