Ralfs
Postfix config

Links

postfix.org
openspf.org SPF: Sender Policy Framework
DomainKeys Yahoo! Anti-Spam Resource Center
Postgrey - Postfix Greylisting Policy Server
Open Relay DataBase
abuse.net contact database
CBL Lookup Utility
SpamCop Blocking List
Labs info: Jim Seymour's examples for Postfix anti-UCE
Dovecot / Dovecot Wiki

Config

Make postfix as default: 
service sendmail stop
alternatives --config mta
service postfix start

chkconfig sendmail off
chkconfig postfix on
chkconfig dovecot on

nano /etc/procmail

# for procmail:
chmod 1777 /var/spool/mail
# or need to run:
chmod g+s /usr/bin/procmail

# look limit:
postconf mailbox_size_limit
postconf message_size_limit

/usr/share/squirrelmail/config/conf.pl
See config: 
postconf -n

Main config

$ nano /etc/postfix/main.cf

# ...
myhostname = host.domain.tld
# ...
myorigin = $mydomain
# ...
inet_interfaces = all
# ...
mydestination = $myhostname, localhost.$mydomain, localhost
# ...
mynetworks = 192.168.9.0/24, 127.0.0.0/8
# ...
mailbox_command = /usr/bin/procmail
# ...
# intranet:
#relayhost = [an.ip.add.ress]
# ...

Blocking SPAM

Blocking SPAM (UCE) using Postfix
litle bit fix commands:

SMTPD Client Restrictions

SMTPD client restrictions will put restrictions on what systems will be able to send mail through your server based on the client IP and host information (name). As restrictions are looked at in order, you will typically want to look at filters or restrictions that are based on local information first, in order to limit the external communications that will be initiated for each message.

Content of main.cf 
smtpd_client_restrictions =
	check_client_access hash:/etc/postfix/maps/access_client,
	permit
Content of /etc/postfix/maps/access_client 
62.84.23.234  REJECT
Compile access_client into access_client.db 
cd /etc/postfix/maps
postmap hash:access_client
service postfix restart
Test the Client Restriction: 
telnet testpc 25
HELO testpc
250 testpc.akadia.com
MAIL FROM: <tester@akadia.ch>
250 Ok
RCPT TO: <tester@akadia.ch>
554 <dclient62-84-23-234.hispeed.lv[62.84.23.234]>:
Client host rejected: Access denied

SMTPD RECIPIENT Restrictions

Note that all of the restrictions are in the recipient section because we like to have as much information as possible before rejecting an email. If you were to reject at smtpd_client_restrictions, then you would not be able to determine the helo, sender, and recipient information, which could help improve the filters. 
smtpd_recipient_restrictions =
	permit_mynetworks,
	permit_sasl_authenticated,
	reject_unauth_destination,
	reject_invalid_hostname,
	reject_unauth_pipelining,
	reject_non_fqdn_sender,
	reject_unknown_sender_domain,
	reject_non_fqdn_recipient,
	reject_unknown_recipient_domain,
	check_client_access hash:/etc/postfix/maps/access_client,
	check_helo_access hash:/etc/postfix/maps/access_helo,
	check_sender_access hash:/etc/postfix/maps/access_sender,
	check_recipient_access hash:/etc/postfix/maps/access_recipient,
	reject_rhsbl_client blackhole.securitysage.com,
	reject_rhsbl_sender blackhole.securitysage.com,
	reject_rbl_client relays.ordb.org,
	reject_rbl_client blackholes.easynet.nl,
	reject_rbl_client cbl.abuseat.org,
	reject_rbl_client proxies.blackholes.wirehub.net,
	reject_rbl_client bl.spamcop.net,
	reject_rbl_client sbl.spamhaus.org,
	reject_rbl_client opm.blitzed.org,
	reject_rbl_client dnsbl.njabl.org,
	reject_rbl_client list.dsbl.org,
	reject_rbl_client multihop.dsbl.org,
	permit

By placing the RBL checks at the end, we are making sure that an external DNS check will only occur if nothing else will reject the spam message.

All of the anti-UCE checks are under smtpd_recipient_restrictions, instead of having a separate smtpd_client_restrictions. This is because, unless you have set smtpd_delay_reject = no (default is "yes"), no rejecting takes place until after RCPT TO anyway. It's easier, cleaner and more predictable when all of the anti-UCE stuff is under recipient restrictions.

MailHub

Mailhub Configuration Mailhub by Ralf Hildebrandt
/etc/postfix/main.cf 
smtpd_recipient_restrictions = 
	reject_non_fqdn_sender,
	reject_non_fqdn_recipient,
	reject_unknown_sender_domain,
	reject_unknown_recipient_domain,
	permit_mynetworks,
	reject_unauth_destination,
	check_recipient_access hash:/etc/postfix/recipient_checks,
	check_sender_access    hash:/etc/postfix/sender_checks,
	check_client_access    hash:/etc/postfix/client_checks,
	reject_unauth_pipelining,
	reject_invalid_hostname,
	reject_non_fqdn_hostname,
	reject_rbl_client      relays.ordb.org,
	reject_rbl_client      proxy.relays.osirusoft.com,
	reject_rbl_client      socks.relays.osirusoft.com
	check_sender_access    hash:/etc/postfix/rhsbl_sender_domain_exceptions,
	reject_rhsbl_sender    dsn.rfc-ignorant.org
	check_sender_access    hash:/etc/postfix/frequently_forged_senders
	permit
# reject non FQ sender/recipients and unknown domains
# then allow local networks
# check for relaying
# apply recipient, sender and client checks first (to be able to make exceptions)
# refuse unauthorized pipelining
# check the HELO/EHLO parameter
# Perform lookups in DNS based blacklists
# reject mail from clients without hostname

Problems

Problem:

postfix/nqmgr[13311]: warning: connect to transport filter: Connection refused 
Re: Can't connect to transport filter
From: Ralf Hildebrandt (Ralf.Hildebrandtcharite.de)
Date: Sun Mar 30 2003 - 13:10:12 CST

Try this:

postfix stop
postsuper -r ALL
postfix start

Dovecot

If dovecot not recognise mailboxes automatically /etc/dovecot.conf 
mail_location = mbox:~/mail

Last modified: 24.02.2010
(C) 2005-2010, Ralfs.