yttrx mastodon antispam

Email is a pain: spam edition

DNSBL

A DNSBL is a system built upon DNS zones, in which anti spam organizations will publish lists of bad IPs/Domains via their published zones. This allows others to query their DNS servers and ask if a particular IP/domain is known to be bad, and make a policy decision based upon that. I’ll be blocking mail that hits positive with a number of domains. It’s been a few years since I followed which DNSBLs were high quality and low on false positives, but since this is for a personal mail system I’m less risk adverse and am fine with some false positives. As such, I’ll cast the net wide and use quite a few block lists.

DNSBLs will block mail right at the edge of the MTA, and can identify/block up to half of the spam that hits your system.

rspamd

rspamd docker

I’m not interested in putting in too much time maintaining the system, so I’ll just use a docker image to install rspamd. I used their generic docker-compose.yml file, and spun it up with docker-compose up -d

Configuring postfix

Let’s edit /etc/postfix/main.cf to reject mail at the rctp to phase of the email transaction.

smtpd_recipient_restrictions =
               reject_invalid_hostname,
               reject_unknown_recipient_domain,
               reject_unauth_pipelining,
               permit_mynetworks,
               reject_unauth_destination,
               reject_rbl_client zen.spamhaus.org,
               reject_rbl_client bl.spamcop.net,
               reject_rbl_client dnsbl.sorbs.net,
               reject_rbl_client cbl.abuseat.org,
               reject_rbl_client b.barracudacentral.org,
               reject_rbl_client dnsbl-1.uceprotect.net,
               permit

The ordering matters. This will reject hosts that don’t have DNS setup properly, will reject mail to domains that aren’t locally configured, will ALLOW mail connecting from mynetworks, will reject a number of block lists, and finally will accept the mail in.

Now we need to ensure that the rspamd is tied in. We’ll use a milter for this. Our rspamd docker container exposes port 11332 for its milter interface, so let’s use that with our postfix config:

smtpd_milters = inet:localhost:8891,inet:localhost:11332

We had a previously existing milter setup for opendkim, so we’ve appended the new milter to it. Now simply restart postfix, double check the logs and we should be done (for a while).