在Ubuntu上搭建邮件服务器(如Postfix + Dovecot)后,防垃圾邮件通常需要“多层防御”。下面按从外到内、从简单到进阶给你一套实战方案,适合生产环境。
编辑 /etc/postfix/main.cf:
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname
smtpd_sender_restrictions =
permit_mynetworks,
reject_non_fqdn_sender,
reject_unknown_sender_domain
smtpd_recipient_restrictions =
permit_mynetworks,
reject_unauth_destination,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain
✅ 作用:
安装检查工具:
sudo apt install postfix-policyd-spf-python
配置:
policyd-spf_time_limit = 3600
smtpd_recipient_restrictions =
...
check_policy_service unix:private/policyd-spf
✅ 防止伪造发件人域名
安装:
sudo apt install opendkim opendkim-tools
关键配置:
# /etc/opendkim.conf
Domain example.com
KeyFile /etc/opendkim/keys/example.com.private
Selector mail
Socket inet:8891@localhost
Postfix 中启用:
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
milter_protocol = 2
milter_default_action = accept
✅ 防止邮件被篡改、提高可信度
DNS 添加:
_dmarc.example.com TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com"
✅ 配合 SPF + DKIM
✅ 自动处理伪造邮件
smtpd_recipient_restrictions =
...
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net
⚠️ 注意:
sudo apt install spamassassin spamc
启用服务:
sudo systemctl enable spamassassin
sudo systemctl start spamassassin
Postfix 集成:
content_filter = smtp-amavis:[127.0.0.1]:10024
(通常配合 Amavis)
smtpd_client_connection_rate_limit = 20
smtpd_client_message_rate_limit = 10
sudo apt install postgrey
smtpd_recipient_restrictions =
check_policy_service inet:127.0.0.1:10023
✅ 可有效拦截“一次性垃圾服务器”
✅ 最低配置
✅ 标准配置
✅ 企业级
❌ 忘记 permit_mynetworks
❌ 同时启用太多 RBL
❌ 没做反向解析(PTR)
❌ 开放中继(被拉黑)
你可以直接告诉我:
我可以给你一份 可直接复制的配置文件模板。