autoupdate
[postfix-master.git] / postfix-master / spam.html
blobf5322a1e1d458fb4e097904e9a47989f04f2aeb3
1 <html>
3 <head>
5 <title> Postfix Configuration - SPAM Controls</title>
7 <META NAME="ROBOTS" CONTENT="NOINDEX,NOFOLLOW">
8 </head>
10 <body background="obsolete.gif">
12 <h1><a href="big-picture.html"><img src="small-picture.gif"></a> Postfix Configuration - SPAM Controls</h1>
14 <hr>
16 <p> <strong> Note: this web page is no longer maintained. It exists
17 only to avoid breaking links in web pages that describe earlier
18 versions of the Postfix mail system. </strong> </p>
20 <a href="config.html">Up one level</a> | <a href="basic.html">Basic
21 Configuration</a> | SPAM Controls | <a href="rate.html">Rate
22 Controls</a> | <a href="resource.html">Resource Controls</a> | <a
23 href="rewrite.html">Address Manipulation </a>
25 <h2> Introduction</h2>
27 Postfix offers a variety of parameters that limit the delivery of
28 unsolicited bulk email.
30 <p>
32 By default, the Postfix <a href="smtpd.8.html">SMTP server</a> will
33 accept mail only from or to the local network or domain, so that
34 your system can't be used as a mail relay to forward bulk mail from
35 random strangers.
37 <p>
39 The text in this document describes how you can set up more detailed
40 anti-SPAM policies that prevent delivery of unwanted email altogether,
41 for example with sendmail-style access lists or with <b>RBL</b>
42 (real-time blackhole) list name servers.
44 <p> Unless indicated otherwise, all parameters described here are
45 in the <b>main.cf</b> file. If you change parameters of a running
46 Postfix system, don't forget to issue a <b>postfix reload</b>
47 command.
49 <ul>
51 <li> <a href="#smtpd_client_restrictions">Client name/address
52 restrictions</a>
54 <p>
56 <li> <a href="#smtpd_require_helo">Require HELO (EHLO) command </a>
58 <p>
60 <li> <a href="#smtpd_helo_restrictions">HELO (EHLO) hostname
61 restrictions</a>
63 <p>
65 <li> <a href="#smtpd_sender_restrictions">Sender address restrictions
66 </a>
68 <p>
70 <li> <a href="#smtpd_recipient_restrictions">Recipient address
71 restrictions</a>
73 <p>
75 <li> <a href="#additional">Additional SPAM control parameters</a>
77 </ul>
79 <a name="smtpd_client_restrictions">
81 <h2> Client name/address restrictions</h2>
83 The <b>smtpd_client_restrictions</b> parameter restricts what
84 clients this system accepts SMTP connections from.
86 <p>
88 <dl>
90 <dt>Default:
92 <dd>Allow SMTP connections from any client.
94 <p>
96 <dt>Syntax:
98 <dd>Specify a list of zero or more restrictions, separated by
99 whitespace or commas. Restrictions are applied in the order as
100 specified; the first restriction that matches wins.
104 <dt>Examples:
106 <dd> <b>smtpd_client_restrictions = hash:/etc/postfix/access,
107 reject_maps_rbl</b>
109 <dd> <b>smtpd_client_restrictions = permit_mynetworks,
110 reject_unknown_client</b>
114 <dt> Restrictions:
116 <dl>
118 <dt> <b>permit</b>
120 <dt> <b>reject</b> <dd> Permit (reject) the request. This restriction
121 is useful at the end of a restriction list, to make the default
122 policy explicit. The <b>reject_code</b> configuration parameter
123 specifies the response code to rejected requests (default:
124 <b>550</b>).
128 <dt> <b>reject_unknown_client</b> <dd> Reject when the client
129 hostname is unknown. The <b>unknown_client_reject_code</b> parameter
130 specifies the response code to rejected requests (default:
131 <b>450</b>).
135 <dt> <b>permit_mynetworks</b> <dd> Permit when the client address
136 matches any network listed in <a href="basic.html#mynetworks">
137 $mynetworks</a>.
141 <dt> <b>check_client_access</b> <i>maptype</i>:<i>mapname</i>
143 <dt> <i>maptype</i>:<i>mapname</i> <dd> Search the named <a
144 href="access.5.html">access database</a> for the client name, parent
145 domains, client address, or networks obtained by stripping least
146 significant octets. Reject if the result is <b>REJECT</b> or
147 "[<b>45</b>]<i>XX text</i>". Permit otherwise. The
148 <b>access_map_reject_code</b> parameter specifies the response code
149 for <b>REJECT</b> results (default: <b>550</b>).
153 <a name="reject_maps_rbl">
155 <dt> <b>reject_maps_rbl</b> <dd> Reject when the client network
156 address is listed under any of the domains listed in <a
157 href="#maps_rbl_domains">$maps_rbl_domains</a>. The <b>
158 maps_rbl_reject_code</b> parameter specifies the response code for
159 rejected requests (default: <b>550</b>).
161 </dl>
163 </dl>
165 <a name="smtpd_require_helo">
167 <h2> Require HELO (EHLO) command</h2>
169 The <b>smtpd_require_helo</b> parameter determines if clients must
170 send a <b>HELO</b> (<b>EHLO</b>) command at the beginning of an
171 SMTP session. Requiring this will stop some SPAM software.
175 <dl>
177 <dt>Default:
179 <dd>By default, the Postfix <a href="smtpd.8.html">SMTP server</a>
180 does not require the use of <b>HELO</b> (<b>EHLO</b>).
184 <dt>Syntax:
186 <dd>Specify <b>yes</b> or <b>no</b>.
190 <dt>Example:
192 <dd> <b>smtpd_require_helo = yes</b>
194 </dl>
196 <a name="smtpd_helo_restrictions">
198 <h2> HELO (EHLO) hostname restrictions</h2>
200 The <b>smtpd_helo_restrictions</b> parameter restricts what hostnames
201 clients may send with the <b>HELO</b> (<b>EHLO</b>) command. Some
202 SPAM software can be stopped by being strict here.
204 <dl>
206 <dt>Default:
208 <dd>By default, the Postfix <a href="smtpd.8.html">SMTP server</a>
209 accepts any hostname.
213 <dt>Syntax:
215 <dd>Specify a list of zero or more restrictions, separated by
216 whitespace or commas. Restrictions are applied in the order as
217 specified; the first restriction that matches wins.
221 <dt>Example:
223 <dd> <b>smtpd_helo_restrictions = reject_invalid_hostname</b>
227 <dt> Restrictions:
229 <dl>
231 <dt> <b>permit</b>
233 <dt> <b>reject</b> <dd> Permit (reject) the request. This restriction
234 is useful at the end of a restriction list, to make the default
235 policy explicit. The <b>reject_code</b> configuration parameter
236 specifies the response code to rejected requests (default:
237 <b>550</b>).
241 <dt> <b>reject_unknown_client</b> <dd> Reject when the client
242 hostname is unknown. The <b>unknown_client_reject_code</b> parameter
243 specifies the response code to rejected requests (default:
244 <b>450</b>).
248 <dt> <b>permit_mynetworks</b> <dd> Permit when the client address
249 matches any network listed in <a href="basic.html#mynetworks">
250 $mynetworks</a>.
254 <dt> <b>reject_invalid_hostname</b> <dd> Reject hostnames with bad
255 syntax. The <b>invalid_hostname_reject_code</b> specifies the
256 response code to rejected requests (default: 501).
260 <dt> <b>permit_naked_ip_address</b> <dd> Permit when the client
261 sends a naked IP address without the enclosing <b>[]</b> brackets
262 that the RFC requires. Unfortunately, some popular PC mail clients
263 send <b>HELO</b> greetings in this manner.
267 <dt> <b>reject_unknown_hostname</b> <dd> Reject when the hostname
268 has no DNS A or MX record. The <b>unknown_hostname_reject_code</b>
269 specifies the response code to rejected requests (default:
270 <b>450</b>).
274 <dt> <b>check_helo_access</b> <i>maptype</i>:<i>mapname</i>
276 <dt> <i>maptype</i>:<i>mapname</i> <dd> Search the named <a
277 href="access.5.html">access database</a> for the <b>HELO</b> hostname
278 or parent domains in the specified table. Reject if result is
279 <b>REJECT</b> or "[<b>45</b>]<i>XX text</i>". Permit otherwise.
280 The <b>access_map_reject_code </b> parameter specifies the response
281 code for <b>REJECT</b> results (default: <b>550</b>).
285 <dt> <b>check_client_access</b> <i>maptype</i>:<i>mapname</i> <dd>
286 See <a href="#smtpd_client_restrictions">client name/address
287 restrictions</a>.
289 </dl>
291 </dl>
293 <a name="smtpd_sender_restrictions">
295 <h2> Sender address restrictions</h2>
297 The <b>smtpd_sender_restrictions</b> parameter restricts what sender
298 addresses this system accepts in MAIL FROM commands.
302 <dl>
304 <dt> Default:
306 <dd>By default, the Postfix <a href="smtpd.8.html">SMTP server</a>
307 accepts any sender address.
311 <dt>Syntax:
313 <dd>Specify a list of zero or more restrictions, separated by
314 whitespace or commas. Restrictions are applied in the order as
315 specified; the first restriction that matches wins.
319 <dt> Example:
321 <dd> <b>smtpd_sender_restrictions = reject_unknown_address</b>
325 <dt> Restrictions:
327 <dl compact>
329 <dt> <b>permit</b>
331 <dt> <b>reject</b> <dd> Permit (reject) the request. This restriction
332 is useful at the end of a restriction list, to make the default
333 policy explicit. The <b>reject_code</b> configuration parameter
334 specifies the response code to rejected requests (default:
335 <b>550</b>).
339 <dt> <b>reject_unknown_client</b> <dd> Reject when the client
340 hostname is unknown. The <b>unknown_client_reject_code</b> parameter
341 specifies the response code to rejected requests (default:
342 <b>450</b>).
346 <dt> <b>permit_mynetworks</b> <dd> Permit when the client address
347 matches any network listed in <a href="basic.html#mynetworks">
348 $mynetworks</a>.
352 <dt> <b>reject_unknown_address</b> <dd> Reject when the sender
353 address has no DNS A or MX record. The <b>unknown_address_reject_code
354 </b> parameter specifies the response code for rejected requests
355 (default: <b>450</b>).
359 <dt> <b>check_sender_access</b> <i>maptype</i>:<i>mapname</i>
361 <dt> <i>maptype</i>:<i>mapname</i> <dd> Search the named <a
362 href="access.5.html">access database</a> for the sender address,
363 parent domain, or <i>localpart</i>@. Reject if the result is
364 <b>REJECT</b> or "[<b>45</b>]<i>XX text</i>". Permit otherwise.
365 The <b>access_map_reject_code </b> parameter specifies the result
366 code for rejected requests (default: <b>550</b>).
370 <dt> <b>check_client_access</b> <i>maptype</i>:<i>mapname</i> <dd>
371 See <a href="#smtpd_client_restrictions">client name/address
372 restrictions</a>.
376 <dt> <b>check_helo_access</b> <i>maptype</i>:<i>mapname</i> <dd>
377 See <a href="#smtpd_helo_restrictions">HELO hostname restrictions</a>.
379 </dl>
381 </dl>
383 <a name="smtpd_recipient_restrictions">
385 <h2> Recipient address restrictions</h2>
387 The <b>smtpd_recipient_restrictions</b> parameter restricts what
388 recipient addresses this system accepts in RCPT TO commands.
390 <dl>
392 <dt>Default:
394 <dd>By default, the Postfix <a href="smtpd.8.html">SMTP server</a>
395 forwards mail from any client that matches <a
396 href="basic.html#mynetworks">$mynetworks</a> or <a
397 href="#relay_domains">$relay_domains</a>, or to any destination
398 that matches <a href="#relay_domains"> $relay_domains</a>.
402 <dt>Syntax:
404 <dd>Specify a list of zero or more restrictions, separated by
405 whitespace or commas. Restrictions are applied in the order as
406 specified; the first restriction that matches wins.
410 <dt> Example:
412 <dd> <b>smtpd_recipient_restrictions = permit_mynetworks,
413 check_relay_domains</b>
417 <dt> Restrictions:
419 <dl>
421 <dt> <b>permit</b>
423 <dt> <b>reject</b> <dd> Permit (reject) the request. This restriction
424 is useful at the end of a restriction list, to make the default
425 policy explicit. The <b>reject_code</b> configuration parameter
426 specifies the response code to rejected requests (default:
427 <b>550</b>).
431 <dt> <b>reject_unknown_client</b> <dd> Reject when the client
432 hostname is unknown. The <b>unknown_client_reject_code</b> parameter
433 specifies the response code to rejected requests (default:
434 <b>450</b>).
438 <dt> <b>permit_mynetworks</b> <dd> Permit when the client address
439 matches any network listed in <a href="basic.html#mynetworks">
440 $mynetworks</a>.
444 <a name="check_relay_domains">
446 <dt> <b>check_relay_domains</b> <dd> Permit when the client hostname
447 matches <a href="#relay_domains">$relay_domains</a>, or when the
448 resolved destination address matches <a href="#relay_domains">
449 $relay_domains</a>, otherwise reject. The <b>relay_domains_reject_code</b>
450 parameter specifies the response code for rejected requests (default:
451 <b>550</b>).
455 <a name="permit_mx_backup">
457 <dt> <b>permit_mx_backup</b> <dd> Permit when the local mail system
458 is MX host for the resolved destination. This includes the case
459 that the local mail system is the final destination. Relevant
460 configuration parameters: <a href="basic.html#mydestination">
461 $mydestination</a>, <a href="basic.html#inet_interfaces">
462 $inet_interfaces</a>.
466 <dt> <b>check_recipient_access</b> <i>maptype</i>:<i>mapname</i>
468 <dt> <i>maptype</i>:<i>mapname</i> <dd> Search the named <a
469 href="access.5.html">access database</a> for the resolved destination
470 address, parent domain, or <i>localpart</i>@. Reject if the result
471 is <b>REJECT</b> or "[<b>45</b>]<i>XX text</i>". Permit otherwise.
472 The <b>access_map_reject_code </b> parameter specifies the result
473 code for rejected requests (default: <b>550</b>).
477 <dt> <b>check_sender_access</b> <i>maptype</i>:<i>mapname</i> <dd>
478 See <a href="#smtpd_sender_restrictions">sender address restrictions</a>.
482 <dt> <b>check_client_access</b> <i>maptype</i>:<i>mapname</i> <dd>
483 See <a href="#smtpd_client_restrictions">client name/address
484 restrictions</a>.
488 <dt> <b>check_helo_access</b> <i>maptype</i>:<i>mapname</i> <dd>
489 See <a href="#smtpd_helo_restrictions">HELO hostname restrictions</a>.
491 </dl>
493 </dl>
495 <a name="additional">
497 <h2> Additional SPAM control parameters</h2>
499 <dl>
501 <a name="maps_rbl_domains">
503 <dt> <b>maps_rbl_domains</b>
505 <dd>This parameter controls the behavior of the <a
506 href="#reject_maps_rbl">reject_maps_rbl</a> restriction that can
507 appear as part of a client name/address restriction list.
511 <dl>
513 <dt>Default:
515 <dd><b>maps_rbl_domains = rbl.maps.vix.com</b>
519 Note: RBL lookups are disabled by default.
523 <dt>Syntax:
525 <dd> Zero or more DNS domains that blacklist client addresses. A
526 host is blacklisted when its reversed IP address is listed as a
527 subdomain under any of the domains listed in <b>$maps_rbl_domains.</b>
529 </dl>
533 <a name="relay_domains">
535 <dt> <b>relay_domains</b>
537 <dd> This parameter controls the behavior of the <a
538 href="#check_relay_domains"> check_relay_domains</a> restriction
539 that can appear as part of a recipient address restriction list.
543 <dl>
545 <dt>Default:
547 <dd><b>relay_domains = <a href="basic.html#mydestination">
548 $mydestination</a>, <a href="rewrite.html#virtual">$virtual_maps</a>.</b>
552 <dt>Syntax:
554 <dd> Specify zero or more domain names, <i>/file/name</i> patterns
555 and/or <i>type</i>:<i>name</i> lookup tables, separated by whitespace
556 and/or commas. A <i>/file/name</i> is replaced by its contents;
557 <i>type</i>:<i>name</i> requests that table lookup is done instead
558 of string comparison.
560 </dl>
564 A host or destination address matches <b>$relay_domains</b> when
565 its name or parent domain matches any of the names, files or lookup
566 tables listed in <b>$relay_domains.</b>
568 </dl>
570 <hr>
572 <a href="config.html">Up one level</a> | <a href="basic.html">Basic
573 Configuration</a> | SPAM Controls | <a href="rate.html">Rate
574 Controls</a> | <a href="resource.html">Resource Controls</a> | <a
575 href="rewrite.html">Address Manipulation </a>
577 </body>
579 </html>