In this guide you will learn how to tweak the default postfix configuration for incoming emails. In Postfix configuration you need to add or edit following directives on /etc/postfix/main.cf configuration file. All configuration directives are explained in the postfix website.
Postfix Configuration Parameters
smtpd_helo_required = yes
Require that a remote SMTP client introduces itself with the HELO or EHLO command before sending the MAIL command or other commands that require EHLO negotiation.
smtpd_delay_reject = yes
It allows Postfix to log recipient address information when rejecting a client name/address or sender address, so that it is possible to find out whose mail is being rejected.
strict_rfc821_envelopes = yes
Require that addresses received in SMTP MAIL FROM and RCPT TO commands are enclosed with >, and that those addresses do not contain RFC 822 style comments or phrases. This stops mail from poorly written software.
smtpd_recipient_restrictions
You can put the following access restrictions that the Postfix SMTP server applies in the context of the RCPT TO command:
reject_invalid_helo_hostname – Reject the request when the HELO or EHLO hostname is malformed.
warn_if_reject reject_non_fqdn_helo_hostname – Reject the request when the HELO or EHLO hostname is not in fully-qualified domain or address literal form, as required by the RFC.
warn_if_reject reject_unknown_helo_hostname – Reject the request when the HELO or EHLO hostname has no DNS A or MX record.
warn_if_reject reject_unknown_reverse_client_hostname – Reject the request when the client IP address has no address -> name mapping.
reject_non_fqdn_sender – Reject the request when the MAIL FROM address is not in fully-qualified domain form, as required by the RFC.
reject_non_fqdn_recipient – Reject the request when the RCPT TO address is not in fully-qualified domain form, as required by the RFC.
reject_unknown_sender_domain – Reject the request when Postfix is not final destination for the sender address, and the MAIL FROM domain has 1) no DNS MX and no DNS A record, or 2) a malformed MX record such as a record with a zero-length MX hostname.
reject_unknown_recipient_domain – Reject the request when Postfix is not final destination for the recipient domain, and the RCPT TO domain has 1) no DNS MX and no DNS A record or 2) a malformed MX record such as a record with a zero-length MX hostname.
Example main.cf
# See /usr/share/postfix/main.cf.dist for a commented, more complete version smtpd_banner = $myhostname ESMTP
biff = no
inet_protocols = ipv4 # appending .domain is the MUA's job.
append_dot_mydomain = no readme_directory = no # TLS parameters
smtpd_tls_cert_file=/etc/postfix/malware.expert.crt
smtpd_tls_key_file=/etc/postfix/malware.expert.key
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may # Conf
delay_warning_time = 4h
bounce_queue_lifetime = 5d
maximal_queue_lifetime = 5d
smtp_connect_timeout = 10s
smtpd_helo_required = yes #It allows Postfix to log recipient address information when rejecting a client name/address or sender address
smtpd_delay_reject = yes
strict_rfc821_envelopes = yes
message_size_limit = 50000000 # Maps to Relay & Transport (Domains and Destination routing)
relay_domains = proxy:mysql:/etc/postfix/postfix-mysql-relay_domains_maps.cf
transport_maps = proxy:mysql:/etc/postfix/postfix-mysql-transport_maps.cf # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client. myhostname = mx01.malware.expert
mydestination = $myhostname, localhost
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
relayhost =
# Which servers allowed send outgoing emails
mynetworks = 127.0.0.0/8
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all smtpd_sender_restrictions = permit_mynetworks reject_non_fqdn_sender reject_unknown_sender_domain smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination reject_invalid_helo_hostname warn_if_reject reject_non_fqdn_helo_hostname warn_if_reject reject_unknown_helo_hostname warn_if_reject reject_unknown_reverse_client_hostname reject_non_fqdn_sender reject_non_fqdn_recipient reject_unknown_sender_domain reject_unknown_recipient_domain smtpd_data_restrictions = reject_unauth_pipelining reject_multi_recipient_bounce
Conlusion
It is very important that you configure postfix installations correctly to minimise incoming spam. You can also use RBL blacklists, which effectively block spammers from infected servers.