Recently one of my clients shifted from Plesk to ISPConfig, and I was asked to setup ISPConfig control panel on it. We followed an ISPConfig Howto from howtoforge.com . The installation was (almost) a breeze. Migration from plesk to ISPConfig was quite painful. But anyway, we did it.

Later when the system went live and remained in production for more than a week, we noticed that there is a lot of spam coming in. The postfix mail server needed some additional armor. I wanted some important checks, such as helo, RBL and SPF. Below is how I added that extra level of protection.

First, I want to thank and acknowledge the authors of following web pages, which helped me in achieving this:

http://www.wains.be/index.php/2006/04/04/postfix-spf/

http://www.freesoftwaremagazine.com/articles/focus\_spam\_postfix?page=0%2C2

http://www.howtoforge.com/postfix\_spf

For SPF, I downloaded the postfix-SPF (module/plugin) from http://www.openspf.org/blobs/postfix-policyd-spf-perl-2.007.tar.gz , and installed it as following:

cd /root/

wget <http://www.openspf.org/blobs/postfix-policyd-spf-perl-2.007.tar.gz>

tar xzf postfix-policyd-spf-perl-2.007.tar.gz

cp postfix-policyd-spf-perl-2.007/postfix-policyd-spf-perl /usr/libexec/postfix/

chmod +x /usr/libexec/postfix/postfix-policyd-spf-perl

Then I had to add the following text (it is one /single long line) to bottom of /etc/postfix/master.cf :-

vi /etc/postfix/master.cf

spfpolicy unix - n n - 0 spawn user=nobody argv=/usr/libexec/postfix/postfix-policyd-spf-perl

📝Notes:

  • You can use Tabs instead of spaces in the line above. Refer to INSTALL file which comes with the tarball.
  • The INSTALL file uses the word policy, instead of spfpolicy, as shown here. It does not matter. Whatever you choose to use, make sure that you use the same in master.cf and main.cf files.

I then edited my /etc/postfix/main.cf file and added the following text. The text below contains SPF checks, RBL checks, invalid helo checks, invalid host-name checks, etc.

vi /etc/postfix/main.cf

. . .

Change the following line:

smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf

Change to:

smtpd_sender_restrictions = reject_non_fqdn_sender, reject_unknown_sender_domain, check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf, permit

📝Note: The line above is single line.

Then add the following text:

policy_time_limit = 3600smtpd_delay_reject = yes

smtpd_helo_required = yes

smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_hostname, reject_invalid_hostname, permit

smtpd_recipient_restrictions = reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, check_policy_service unix:private/spfpolicy, permit

📝Note: smtpd_* lines shown above are individual long single lines. (Tip: smtpd_* till permit is one line.)

After you save this file, restart postfix service :

service postfix restart

That’s all. I hope it to be helpful to those switching to ISPConfig, or Postfix server in particular. You can discuss anything related to this in http://forums.wbitt.com