From 7b86e0deb3d869d8bb0143db9d35e29b0bf0bcea Mon Sep 17 00:00:00 2001
From: Markus Katharina Brechtel <markus.katharina.brechtel@thengo.net>
Date: Mon, 18 Sep 2017 10:21:52 +0000
Subject: [PATCH] block spam with spamhaus

---
 templates/main.cf.j2 | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/templates/main.cf.j2 b/templates/main.cf.j2
index b9ca677..06eaa7c 100644
--- a/templates/main.cf.j2
+++ b/templates/main.cf.j2
@@ -31,7 +31,6 @@ smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
 # information on enabling SSL in the smtp client.
 
-smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
 myhostname = tg-infra-dev-mail-1
 alias_maps = hash:/etc/aliases
 alias_database = hash:/etc/aliases
@@ -43,6 +42,25 @@ recipient_delimiter = +
 inet_interfaces = all
 inet_protocols = all
 
+# some rules from http://www.postfix.org/SMTPD_ACCESS_README.html
+smtpd_client_restrictions = permit_mynetworks, reject
+smtpd_helo_restrictions = reject_unknown_helo_hostname
+smtpd_sender_restrictions = reject_unknown_sender_domain
+smtpd_data_restrictions = reject_unauth_pipelining
+
+smtpd_recipient_restrictions =
+  permit_mynetworks,
+  permit_sasl_authenticated,
+  reject_rbl_client zen.spamhaus.org,
+  reject_rhsbl_reverse_client dbl.spamhaus.org,
+  reject_rhsbl_helo dbl.spamhaus.org,
+  reject_rhsbl_sender dbl.spamhaus.org
+
+smtpd_relay_restrictions =
+  permit_mynetworks,
+  permit_sasl_authenticated,
+  defer_unauth_destination
+
 virtual_mailbox_domains = proxy:mysql:/etc/postfix/sql/mysql_virtual_domains_maps.cf
 virtual_alias_maps =
    proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf,