29
This is something I’ve been tweaking for a few months now. I’ve got it filtering 99% of spam before it hits content filtering.
Postfix v2.5.5 using PostFWD v1.18 as a policy daemon with PostGrey v1.31 for greylisting.
## ----------------------------------
# Trusted networks (internal usually)
&&TRUSTED_NETS { \
client_address=192.168.0.0/16 ; \
};# Trusted hostnames
&&TRUSTED_HOSTS { \
client_name~=\.nooblet\.org$ ; \
};# Trusted sasl usernames
&&TRUSTED_USERS { \
sasl_username==stalks ; \
};# Free mailers we don't need to greylist
&&FREEMAIL { \
client_name~=\.gmx\.net$ ; \
client_name~=\.web\.de$ ; \
client_name~=\.(aol|yahoo|h(ush|ot)mail)\.co(\.uk|m)$ ; \
};# Static IPs, no need to greylist
# contains freemailers
&&STATIC { \
&&FREEMAIL ; \
client_name~=[\.\-]static[[\.\-] ; \
client_name~=^(mail|smtp|mout|mx)[\-]*[0-9]*\. ; \
};# Client reverse != smtp helo
&&BADHELO { \
client_name==!!($$(helo_name)) ; \
};&&NORDNS { \
client_name==unknown ; \
};&&DYNAMIC { \
&&NORDNS ; \
client_name~=(\-.+){4} ; \
client_name~=\d{5} ; \
client_name~=[_\.\-]([axt]{0,1}dsl|br(e|oa)dband|ppp|pppoe|dynamic|dynip|adsl|dial(up|in)|pool|dhcp|leased)[_\.\-] ; \
};
&&DYNL { \
rbl=zen.spamhaus.org/^127\.0\.0\.1[0-1]$/3600 ; \
rbl=dul.dnsbl.sorbs.net ; \
};&&RWL { \
rbl=list.dnswl.org ; \
rbl=hostkarma.junkemailfilter.com/^127\.0\.0\.1$/3600 ; \
rhsbl_client=hostkarma.junkemailfilter.com/^127\.0\.0\.1$/3600 ; \
};&&RBL { \
rbl=zen.spamhaus.org/^127\.0\.0\.[2-8]$/3600 ; \
rbl=hostkarma.junkemailfilter.com/^127\.0\.0\.(2|4)$/3600 ; \
rbl=bl.spamcop.net ; \
rbl=problems.dnsbl.sorbs.net ; \
rhsbl_client=hostkarma.junkemailfilter.com/^127\.0\.0\.(2|4)$/3600 ; \
rhsbl=rhsbl.ahbl.org ; \
rhsbl=rhsbl.sorbs.net ; \
};##
## Ruleset
### stress-friendly behaviour (will not match on postfix version pre 2.5)
id=STRESS ; stress==yes ; action=dunno# Whitelists (fixed)
id=WL_001 ; &&TRUSTED_NETS ; action=dunno
id=WL_002 ; &&TRUSTED_HOSTS ; action=dunno
id=WL_003 ; &&TRUSTED_USERS ; action=dunno# Dynamic Counter
id=DYNL_001 ; &&DYNL ; rblcount=all ; action=set(HIT_dynls=$$rblcount, DYNL_text=$$dnsbltext)# DNS Block Lists
id=RBL_001 ; &&RBL ; \
rhsblcount=all ; rblcount=all ; \
action=set( \
HIT_rbls=$$rblcount, \
HIT_rbls+=$$rhsblcount, \
RBL_text=$$dnsbltext)
id=RBL_002 ; HIT_rbls>=2 ; action=REJECT You are listed on $$HIT_rbls RBLs. [$$RBL_text]
id=RBL_003 ; HIT_rbls>=1 ; HIT_dynls>=1 ; action=REJECT Host listed as dynamic and listed on RBL. [$$RBL_text]
id=RBL_004 ; HIT_rbls>=1 ; &&NORDNS ; action=REJECT No reverse DNS and listed on RBL. [$$RBL_text]
id=RBL_005 ; HIT_rbls>=1 ; &&DYNAMIC ; action=REJECT Host looks dynamic and listed on RBL. [$$RBL_text]
id=RBL_006 ; HIT_rbls>=1 ; &&BADHELO ; action=REJECT (helo $$helo_name) != ($$client_name) and listed on RBL. [$$RBL_text]# Whitelists (rwl)
id=RWL_001 ; &&RWL ; \
rhsblcount=all ; rblcount=all ; \
action=set( \
HIT_rwls=$$rblcount, \
HIT_rwls+=$$rhsblcount, \
RWL_text=$$dnsbltext)
id=RWL_002 ; HIT_rwls>=1 ; action=PREPEND X-POSTFWD: Listed on $$HIT_rwls whitelists. [$$RWL_text]# Rate limits
id=RATE_001 ; HIT_rbls>=1 ; action=rate($$client_address/1/300/450 4.7.1 Throttled. Listed on RBL. Limited to 1 message every 5 minutes. [$$RBL_text])
id=RATE_002 ; HIT_dynls>=1 ; action=rate($$client_address/1/300/450 4.7.1 Throttled. Listed as dynamic. Limited to 1 message every 5 minutes.)
id=RATE_003 ; &&NORDNS ; action=rate($$client_address/1/300/450 4.7.1 Throttled. No reverse DNS. Limited to 1 message every 5 minutes.)
id=RATE_004 ; &&DYNAMIC ; action=rate($$client_address/1/300/450 4.7.1 Throttled. Host is probably dynamic. Limited to 1 message every 5 minutes.)# Selective greylist
id=GREY_001 ; action=greylist ; HIT_rbls>=1
id=GREY_002 ; action=dunno ; &&STATIC
id=GREY_003 ; action=dunno ; $$client_name~=$$(sender_domain)$
id=GREY_004 ; action=dunno ; HIT_rwls>=1
id=GREY_005 ; action=greylist ; HIT_dynls>=1
id=GREY_006 ; action=greylist ; &&DYNAMIC
## greylist should be safe during out-of-office-hours
# id=GREY_007 ; action=greylist ; days=Sat-Sun
# id=GREY_008 ; action=greylist ; days=Mon-Fri ; time=!!06:00:00-20:00:0