One of biggest problems nowadays is the SPAM or Bulk mails. Added to the initial Postfix’s configuration of RBL’s you can add some further blockers for SPAM that gets thru.

Greylisting One of the things you need to know about spammers is that they send tons of spam. They send so much spam that they don’t care about the bounces, and they don’t need to requeue mails that are rejected. So, one method that comes in handy is to initially reject the mail (temporary reject), and then, if it’s in a certain amount of time from the initial rejection accept it as legit. You can install postgrey (just yum install postgrey) and as you could probably see from the previous article the Postfix part is already configured, all you need to do is start the service and enable it to start with your mail server.

SpamAssassin To install everything you need just do a yum install spamassassin spamass-milter-postfix, then  systemctl enable spamassassin and  systemctl enable spamass-milter.

You need to edit /etc/sysconfig/spamass-milter-postfix so that it looks like this

SOCKET="inet:8892@localhost"
# SOCKET_OPTIONS="-g postfix"

To allow spamass-milter to listen to port 8892 from SELinux, you need to type into the shell the following command

semanage port -a -t milter_port_t -p tcp 8892

And start spamassassin and spamass-milter (systemctl start spamassassin and systemctl start spamass-milter).

In postfix you need to add:

milter_protocol = 6
milter_connect_timeout = 45s
milter_command_timeout = 45s
milter_content_timeout = 300s
milter_connect_macros = j {daemon_name} v {if_name} _

smtpd_milters = inet:127.0.0.1:8892

DKIM signing To install the OpenDKIM signing daemon do a yum install opendkim then  in /etc/opendkim.conf you need to change/add these lines:

Mode    sv
# KeyFile /etc/opendkim/keys/default.private
KeyTable           /etc/opendkim/KeyTable
SigningTable       /etc/opendkim/SigningTable
ExternalIgnoreList /etc/opendkim/TrustedHosts
InternalHosts      /etc/opendkim/TrustedHosts

then in /etc/opendkim/keys create a folder for each domain you want to sign and cd to that folder and use the included utility to generate a key

opendkim-genkey --selector=default --domain=domain.com

You will find in that folder two files called default.private and default.txt, the contents of default.txt needs to be added to the zone handling the domain in the DNS system.

You need to populate KeyTable and SigningTable from /etc/opendkim folder as follows:

KeyTable:

default._domainkey.domain.com domain.com:default:/etc/opendkim/keys/domain.com/default.private

SigningTable:

domain.com default._domainkey.domain.com

Then do a chown -R opendkim:opendkim /etc/opendkim/keys and start the daemon. In Postfix’s main.cf is tme to do a change:

smtpd_milters = inet:127.0.0.1:8891,inet:127.0.0.1:8892

and restart Postfix.