autoupdate

[postfix-master.git] / postfix-master / spam.html

<html>

<head>

<title> Postfix Configuration - SPAM Controls</title>

<META NAME="ROBOTS" CONTENT="NOINDEX,NOFOLLOW">
</head>

<body background="obsolete.gif">

<h1><a href="big-picture.html"><img src="small-picture.gif"></a> Postfix Configuration - SPAM Controls</h1>

<hr>

<p> <strong> Note: this web page is no longer maintained. It exists
only to avoid breaking links in web pages that describe earlier
versions of the Postfix mail system. </strong> </p>

<a href="config.html">Up one level</a> | <a href="basic.html">Basic
Configuration</a> | SPAM Controls | <a href="rate.html">Rate
Controls</a> | <a href="resource.html">Resource Controls</a> | <a
href="rewrite.html">Address Manipulation </a>

<h2> Introduction</h2>

Postfix offers a variety of parameters that limit the delivery of
unsolicited bulk email.

<p>

By default, the Postfix <a href="smtpd.8.html">SMTP server</a> will
accept mail only from or to the local network or domain, so that
your system can't be used as a mail relay to forward bulk mail from
random strangers.

<p>

The text in this document describes how you can set up more detailed
anti-SPAM policies that prevent delivery of unwanted email altogether,
for example with sendmail-style access lists or with <b>RBL</b>
(real-time blackhole) list name servers.

<p> Unless indicated otherwise, all parameters described here are
in the <b>main.cf</b> file. If you change parameters of a running
Postfix system, don't forget to issue a <b>postfix reload</b>
command.

<ul>

<li> <a href="#smtpd_client_restrictions">Client name/address
restrictions</a>

<p>

<li> <a href="#smtpd_require_helo">Require HELO (EHLO) command </a>

<p>

<li> <a href="#smtpd_helo_restrictions">HELO (EHLO) hostname
restrictions</a>

<p>

<li> <a href="#smtpd_sender_restrictions">Sender address restrictions
</a>

<p>

<li> <a href="#smtpd_recipient_restrictions">Recipient address
restrictions</a>

<p>

<li> <a href="#additional">Additional SPAM control parameters</a>

</ul>

<a name="smtpd_client_restrictions">

<h2> Client name/address restrictions</h2>

The <b>smtpd_client_restrictions</b> parameter restricts what
clients this system accepts SMTP connections from.

<p>

<dl>

<dt>Default:

<dd>Allow SMTP connections from any client.

<p>

<dt>Syntax:

<dd>Specify a list of zero or more restrictions, separated by
whitespace or commas. Restrictions are applied in the order as
specified; the first restriction that matches wins.

<p>

<dt>Examples:

<dd> <b>smtpd_client_restrictions = hash:/etc/postfix/access,
reject_maps_rbl</b>

<dd> <b>smtpd_client_restrictions = permit_mynetworks,
reject_unknown_client</b>

<p>

<dt> Restrictions:

<dl>

<dt> <b>permit</b>

<dt> <b>reject</b> <dd> Permit (reject) the request. This restriction
is useful at the end of a restriction list, to make the default
policy explicit. The <b>reject_code</b> configuration parameter
specifies the response code to rejected requests (default:
<b>550</b>).

<p>

<dt> <b>reject_unknown_client</b> <dd> Reject when the client
hostname is unknown.  The <b>unknown_client_reject_code</b> parameter
specifies the response code to rejected requests (default:
<b>450</b>).

<p>

<dt> <b>permit_mynetworks</b> <dd> Permit when the client address
matches any network listed in <a href="basic.html#mynetworks">
$mynetworks</a>.

<p>

<dt> <b>check_client_access</b> <i>maptype</i>:<i>mapname</i>

<dt> <i>maptype</i>:<i>mapname</i> <dd> Search the named <a
href="access.5.html">access database</a> for the client name, parent
domains, client address, or networks obtained by stripping least
significant octets.  Reject if the result is <b>REJECT</b> or
"[<b>45</b>]<i>XX text</i>". Permit otherwise.  The
<b>access_map_reject_code</b> parameter specifies the response code
for <b>REJECT</b> results (default:  <b>550</b>).

<p>

<a name="reject_maps_rbl">

<dt> <b>reject_maps_rbl</b> <dd> Reject when the client network
address is listed under any of the domains listed in <a
href="#maps_rbl_domains">$maps_rbl_domains</a>. The <b>
maps_rbl_reject_code</b> parameter specifies the response code for
rejected requests (default: <b>550</b>).

</dl>

</dl>

<a name="smtpd_require_helo">

<h2> Require HELO (EHLO) command</h2>

The <b>smtpd_require_helo</b> parameter determines if clients must
send a <b>HELO</b> (<b>EHLO</b>) command at the beginning of an
SMTP session.  Requiring this will stop some SPAM software.

<p>

<dl>

<dt>Default:

<dd>By default, the Postfix <a href="smtpd.8.html">SMTP server</a>
does not require the use of <b>HELO</b> (<b>EHLO</b>).

<p>

<dt>Syntax:

<dd>Specify <b>yes</b> or <b>no</b>.

<p>

<dt>Example:

<dd> <b>smtpd_require_helo = yes</b>

</dl>

<a name="smtpd_helo_restrictions">

<h2> HELO (EHLO) hostname restrictions</h2>

The <b>smtpd_helo_restrictions</b> parameter restricts what hostnames
clients may send with the <b>HELO</b> (<b>EHLO</b>) command.  Some
SPAM software can be stopped by being strict here.

<dl>

<dt>Default:

<dd>By default, the Postfix <a href="smtpd.8.html">SMTP server</a>
accepts any hostname.

<p>

<dt>Syntax:

<dd>Specify a list of zero or more restrictions, separated by
whitespace or commas.  Restrictions are applied in the order as
specified; the first restriction that matches wins.

<p>

<dt>Example:

<dd> <b>smtpd_helo_restrictions = reject_invalid_hostname</b>

<p>

<dt> Restrictions:

<dl>

<dt> <b>permit</b>

<dt> <b>reject</b> <dd> Permit (reject) the request. This restriction
is useful at the end of a restriction list, to make the default
policy explicit. The <b>reject_code</b> configuration parameter
specifies the response code to rejected requests (default:
<b>550</b>).

<p>

<dt> <b>reject_unknown_client</b> <dd> Reject when the client
hostname is unknown.  The <b>unknown_client_reject_code</b> parameter
specifies the response code to rejected requests (default:
<b>450</b>).

<p>

<dt> <b>permit_mynetworks</b> <dd> Permit when the client address
matches any network listed in <a href="basic.html#mynetworks">
$mynetworks</a>.

<p>

<dt> <b>reject_invalid_hostname</b> <dd> Reject hostnames with bad
syntax. The <b>invalid_hostname_reject_code</b> specifies the
response code to rejected requests (default:  501).

<p>

<dt> <b>permit_naked_ip_address</b> <dd> Permit when the client
sends a naked IP address without the enclosing <b>[]</b> brackets
that the RFC requires. Unfortunately, some popular PC mail clients
send <b>HELO</b> greetings in this manner.

<p>

<dt> <b>reject_unknown_hostname</b> <dd> Reject when the hostname
has no DNS A or MX record. The <b>unknown_hostname_reject_code</b>
specifies the response code to rejected requests (default:
<b>450</b>).

<p>

<dt> <b>check_helo_access</b> <i>maptype</i>:<i>mapname</i>

<dt> <i>maptype</i>:<i>mapname</i> <dd> Search the named <a
href="access.5.html">access database</a> for the <b>HELO</b> hostname
or parent domains in the specified table.  Reject if result is
<b>REJECT</b> or "[<b>45</b>]<i>XX text</i>". Permit otherwise.
The <b>access_map_reject_code </b> parameter specifies the response
code for <b>REJECT</b> results (default: <b>550</b>).

<p>

<dt> <b>check_client_access</b> <i>maptype</i>:<i>mapname</i> <dd>
See <a href="#smtpd_client_restrictions">client name/address
restrictions</a>.

</dl>

</dl>

<a name="smtpd_sender_restrictions">

<h2> Sender address restrictions</h2>

The <b>smtpd_sender_restrictions</b> parameter restricts what sender
addresses this system accepts in MAIL FROM commands.

<p>

<dl>

<dt> Default:

<dd>By default, the Postfix <a href="smtpd.8.html">SMTP server</a>
accepts any sender address.

<p>

<dt>Syntax:

<dd>Specify a list of zero or more restrictions, separated by
whitespace or commas. Restrictions are applied in the order as
specified; the first restriction that matches wins.

<p>

<dt> Example:

<dd> <b>smtpd_sender_restrictions = reject_unknown_address</b>

<p>

<dt> Restrictions:

<dl compact>

<dt> <b>permit</b>

<dt> <b>reject</b> <dd> Permit (reject) the request. This restriction
is useful at the end of a restriction list, to make the default
policy explicit. The <b>reject_code</b> configuration parameter
specifies the response code to rejected requests (default:
<b>550</b>).

<p>

<dt> <b>reject_unknown_client</b> <dd> Reject when the client
hostname is unknown.  The <b>unknown_client_reject_code</b> parameter
specifies the response code to rejected requests (default:
<b>450</b>).

<p>

<dt> <b>permit_mynetworks</b> <dd> Permit when the client address
matches any network listed in <a href="basic.html#mynetworks">
$mynetworks</a>.

<p>

<dt> <b>reject_unknown_address</b> <dd> Reject when the sender
address has no DNS A or MX record. The <b>unknown_address_reject_code
</b> parameter specifies the response code for rejected requests
(default:  <b>450</b>).

<p>

<dt> <b>check_sender_access</b> <i>maptype</i>:<i>mapname</i>

<dt> <i>maptype</i>:<i>mapname</i> <dd> Search the named <a
href="access.5.html">access database</a> for the sender address,
parent domain, or <i>localpart</i>@. Reject if the result is
<b>REJECT</b> or "[<b>45</b>]<i>XX text</i>". Permit otherwise.
The <b>access_map_reject_code </b> parameter specifies the result
code for rejected requests (default: <b>550</b>).

<p>

<dt> <b>check_client_access</b> <i>maptype</i>:<i>mapname</i> <dd>
See <a href="#smtpd_client_restrictions">client name/address
restrictions</a>.

<p>

<dt> <b>check_helo_access</b> <i>maptype</i>:<i>mapname</i> <dd>
See <a href="#smtpd_helo_restrictions">HELO hostname restrictions</a>.

</dl>

</dl>

<a name="smtpd_recipient_restrictions">

<h2> Recipient address restrictions</h2>

The <b>smtpd_recipient_restrictions</b> parameter restricts what
recipient addresses this system accepts in RCPT TO commands.

<dl>

<dt>Default:

<dd>By default, the Postfix <a href="smtpd.8.html">SMTP server</a>
forwards mail from any client that matches <a
href="basic.html#mynetworks">$mynetworks</a> or <a
href="#relay_domains">$relay_domains</a>, or to any destination
that matches <a href="#relay_domains"> $relay_domains</a>.

<p>

<dt>Syntax:

<dd>Specify a list of zero or more restrictions, separated by
whitespace or commas. Restrictions are applied in the order as
specified; the first restriction that matches wins.

<p>

<dt> Example:

<dd> <b>smtpd_recipient_restrictions = permit_mynetworks,
check_relay_domains</b>

<p>

<dt> Restrictions:

<dl>

<dt> <b>permit</b>

<dt> <b>reject</b> <dd> Permit (reject) the request. This restriction
is useful at the end of a restriction list, to make the default
policy explicit. The <b>reject_code</b> configuration parameter
specifies the response code to rejected requests (default:
<b>550</b>).

<p>

<dt> <b>reject_unknown_client</b> <dd> Reject when the client
hostname is unknown.  The <b>unknown_client_reject_code</b> parameter
specifies the response code to rejected requests (default:
<b>450</b>).

<p>

<dt> <b>permit_mynetworks</b> <dd> Permit when the client address
matches any network listed in <a href="basic.html#mynetworks">
$mynetworks</a>.

<p>

<a name="check_relay_domains">

<dt> <b>check_relay_domains</b> <dd> Permit when the client hostname
matches <a href="#relay_domains">$relay_domains</a>, or when the
resolved destination address matches <a href="#relay_domains">
$relay_domains</a>, otherwise reject.  The <b>relay_domains_reject_code</b>
parameter specifies the response code for rejected requests (default:
<b>550</b>).

<p>

<a name="permit_mx_backup">

<dt> <b>permit_mx_backup</b> <dd> Permit when the local mail system
is MX host for the resolved destination. This includes the case
that the local mail system is the final destination.  Relevant
configuration parameters:  <a href="basic.html#mydestination">
$mydestination</a>, <a href="basic.html#inet_interfaces">
$inet_interfaces</a>.

<p>

<dt> <b>check_recipient_access</b> <i>maptype</i>:<i>mapname</i>

<dt> <i>maptype</i>:<i>mapname</i> <dd> Search the named <a
href="access.5.html">access database</a> for the resolved destination
address, parent domain, or <i>localpart</i>@. Reject if the result
is <b>REJECT</b> or "[<b>45</b>]<i>XX text</i>". Permit otherwise.
The <b>access_map_reject_code </b> parameter specifies the result
code for rejected requests (default: <b>550</b>).

<p>

<dt> <b>check_sender_access</b> <i>maptype</i>:<i>mapname</i> <dd>
See <a href="#smtpd_sender_restrictions">sender address restrictions</a>.

<p>

<dt> <b>check_client_access</b> <i>maptype</i>:<i>mapname</i> <dd>
See <a href="#smtpd_client_restrictions">client name/address
restrictions</a>.

<p>

<dt> <b>check_helo_access</b> <i>maptype</i>:<i>mapname</i> <dd>
See <a href="#smtpd_helo_restrictions">HELO hostname restrictions</a>.

</dl>

</dl>

<a name="additional">

<h2> Additional SPAM control parameters</h2>

<dl>

<a name="maps_rbl_domains">

<dt> <b>maps_rbl_domains</b>

<dd>This parameter controls the behavior of the <a
href="#reject_maps_rbl">reject_maps_rbl</a> restriction that can
appear as part of a client name/address restriction list.

<p>

<dl>

<dt>Default:

<dd><b>maps_rbl_domains = rbl.maps.vix.com</b>

<p>

Note: RBL lookups are disabled by default.

<p>

<dt>Syntax:

<dd> Zero or more DNS domains that blacklist client addresses.  A
host is blacklisted when its reversed IP address is listed as a
subdomain under any of the domains listed in <b>$maps_rbl_domains.</b>

</dl>

<p>

<a name="relay_domains">

<dt> <b>relay_domains</b>

<dd> This parameter controls the behavior of the <a
href="#check_relay_domains"> check_relay_domains</a> restriction
that can appear as part of a recipient address restriction list.

<p>

<dl>

<dt>Default:

<dd><b>relay_domains = <a href="basic.html#mydestination">
$mydestination</a>, <a href="rewrite.html#virtual">$virtual_maps</a>.</b>

<p>

<dt>Syntax:

<dd> Specify zero or more domain names, <i>/file/name</i> patterns
and/or <i>type</i>:<i>name</i> lookup tables, separated by whitespace
and/or commas.  A <i>/file/name</i> is replaced by its contents;
<i>type</i>:<i>name</i> requests that table lookup is done instead
of string comparison.

</dl>

<p>

A host or destination address matches <b>$relay_domains</b> when
its name or parent domain matches any of the names, files or lookup
tables listed in <b>$relay_domains.</b>

</dl>

<hr>

<a href="config.html">Up one level</a> | <a href="basic.html">Basic
Configuration</a> | SPAM Controls | <a href="rate.html">Rate
Controls</a> | <a href="resource.html">Resource Controls</a> | <a
href="rewrite.html">Address Manipulation </a>

</body>

</html>