On Sun, 14 Jan 2018 15:36:40 +0000 (UTC) "J.W. Foster" <jfoster81...@yahoo.com> wrote:
> I am looking for a reliable step by step process for setting up an > email server located on an existing website server. As you say, you won't have trouble finding basic instructions. What you probably won't find is exactly what you're looking for. > I have > installed; exim4 light, dovecot, Thunderbird, OpenSSL, and TLS > security. I have tried following several bits of documentation > regarding this with some success, but as with every time I try this, > I open up my system to SPAM at a ridiculous rate. There *is* a ridiculous amount of spam flying about, there's nothing you can do about that. It's a lot less than it used to be, my record for mail server rejections in a day is over 12,000. Yes, that's three noughts, though it was many years ago. > I want to eliminate that That's probably too ambitious. What you should be able to do is to reduce it to a manageable amount. I've taken this further than many people: nearly twenty years ago, I tried challenging the orthodox position that posting to Usenet and other fora should be done from a mangled or disposable address. I decided to use a normal, valid email address, and see what the consequences were. I've tried SpamAssassin, but that seemed to need a great deal of maintenance, being an arms race between the spammers and me. Every couple of weeks, they would find a new technique that had to be explicitly dealt with. So now, in order of effectiveness: 1. Don't implement a catch-all address, this will indeed catch all of the spam. The greatest single anti-spam technique is for the SMTP server to accept mail only for the server's named users, which is the default. It's not quite as effective as it used to be, as almost all spam used to be NDR spam: deliberately misaddressed, in order to get a POP3-based system to bounce it to a forged Reply-To address, thereby laundering it. Much less NDR spam these days, only five out of my 13 rejects yesterday were NDR. 2. Refuse mail where there is no proper reverse DNS record (PTR) for the sender address. This is slightly risky, as a few small businesses use mail 'providers' who seem less than clued-up about running mail servers. You *do* have a static address and a proper A-PTR DNS record pair for your mail server, don't you? There will be trouble otherwise. I do drop the occasional debian-user email as the d-u DNS server seems a bit slow to respond sometimes. The Debian exim4 setup only provides a warning message about faulty reverse DNS, but I and most others change this to 'deny'. Four of the 13 rejects fell foul of this one. 3. Refuse mail from non-existent domains. Exim4 has fine control over sender verification, in that for senders with domains not hosted on the server, it can verify the domain only, while verifying the full email address for hosted domains. This allows rejection of made-up domains, which helps a little, though spammers can register unlimited silly domain names fairly cheaply. The sender verify will also pick up spammers claiming to be random users on your domain, a common trick. 4. Keep blacklists of IP CIDR blocks, spamming domain names and, if your business model allows, entire top-level domains.The files /etc/exim4/local_host and .._sender blacklists and whitelists are a convenient place for these. My current local_host_blacklist contains just over 500 CIDR blocks, including three /8 blocks. I also have a list of 34 country codes and the TLDs .win, .biz, .click and .zip, and reject sender address PTRs and HELO strings containing them. There is a certain amount of spam that won't be caught this way. I have a ~.forward file on the server that routes half a dozen types of machine email, including debian-user and logcheck stuff, into IMAP folders. I route about another forty entries into the Spam folder, such as 'medica', 'iploma' and other likely string fragments in the Subject: header, and 'googlegroups' and others in the From: header. After all that, I still pick one or two spams a day out of my inbox, but I can live with that, and if any of them offend me sufficiently I might modify one of the defences to deal with it. Sometimes I do contact the senders' ISP where that may be helpful (from an .edu domain, for example) but usually it's a waste of effort. The big email providers like Google and Yahoo pretty much don't accept email abuse complaints, which is naughty. As others have said, if you allow your mail server to be used as a relay, such as by applications, you need to allow relaying only of authenticated email from only those sources. There's loads of information about that on the Net, if you allow anyone who connects from outside to your mail server to relay (send email to someone your server doesn't store email for) then you will be found by spammers and your IP address blacklisted almost instantly. There are numerous websites which will test your mail server, and one of the tests is invariably for relaying. Best of luck. -- Joe
