Linux Postfix базовая конфигурация с защитой от спама

В статье был описан базовый конфиг.
После запуска и тестирования отправки на внешние ящики и приемке писем с внешних ящиков, можно добавить защиту от спама из статьи с сайта postfix.

# Check helo/ehlo
smtpd_helo_required = yes

# Don't accept mail from domains that don't exist.
smtpd_sender_restrictions = warn_if_reject, reject_unknown_sender_domain

# Relay control (Postfix 2.10 and later): local clients and
# authenticated clients may specify any destination domain.
smtpd_relay_restrictions = warn_if_reject, permit_mynetworks,
                           permit_sasl_authenticated,
                           reject_unauth_destination

# Spam control: exclude local clients and authenticated clients
# from DNSBL lookups.
smtpd_recipient_restrictions = warn_if_reject, 
                    permit_mynetworks,
                    permit_sasl_authenticated,
   # reject_unauth_destination is not needed here if the mail
   # relay policy is specified under smtpd_relay_restrictions
   # (available with Postfix 2.10 and later).
                    reject_unauth_destination,
                    reject_rbl_client zen.spamhaus.org,
                    reject_rhsbl_reverse_client dbl.spamhaus.org,
                    reject_rhsbl_helo dbl.spamhaus.org,
                    reject_rhsbl_sender dbl.spamhaus.org

Добавил такой параметр warn_if_reject, чтобы получить в лог предупреждение. По статье можно еще ужесточить, но там есть предупреждение, какие вещи могут перестать работать.
Итоговая таблица из статьи:

Restriction list name	Version	Status	Effect of REJECT or DEFER result
smtpd_client_restrictions	All	Optional	Reject all client commands
smtpd_helo_restrictions	All	Optional	Reject HELO/EHLO information
smtpd_sender_restrictions	All	Optional	Reject MAIL FROM information
smtpd_relay_restrictions	≥ 2.10	Required if smtpd_recipient_restrictions does not enforce relay policy	Reject RCPT TO information
	< 2.10	Not available
smtpd_recipient_restrictions	≥ 2.10	Required if smtpd_relay_restrictions does not enforce relay policy	Reject RCPT TO information
	< 2.10	Required
smtpd_data_restrictions	≥ 2.0	Optional	Reject DATA command
smtpd_end_of_data_restrictions	≥ 2.2	Optional	Reject END-OF-DATA command
smtpd_etrn_restrictions	All	Optional	Reject ETRN command

Также в статье есть описание, как добавить исключение
Например:
Here is an example that shows when a PERMIT result can result in too much access permission:

1 /etc/postfix/main.cf:
2     smtpd_recipient_restrictions = 
3         permit_mynetworks
4         check_helo_access hash:/etc/postfix/helo_access
5         reject_unknown_helo_hostname
6         reject_unauth_destination
7 
8 /etc/postfix/helo_access:
9     localhost.localdomain PERMIT

Line 5 rejects mail from hosts that don't specify a proper hostname in the HELO command (with Postfix < 2.3, specify reject_unknown_hostname). Lines 4 and 9 make an exception to allow mail from some machine that announces itself with "HELO localhost.localdomain".

Еще пример исключения отсюда:
прием почты с домена вопреки защиты

Директива	что проверяет
check_client_access	ip-адрес клиента
check_helo_access	приветсвие клиента
check_sender_access	адрес отправителя
check_recipient_access	адрес получателя

/etc/postfix/main.cf:

smtpd_delay_reject = yes

smtpd_client_restrictions = check_sender_access hash:/etc/postfix/sender_access, 

                            reject_unknown_client

/etc/postfix/sender_access:

domain.com OK

Для тестирования помимо warn_if_reject можно использовать soft_bounce = yes.

Итоговая конфигурация postfix:

# postconf -n

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
home_mailbox = Maildir/
inet_interfaces = all
mailbox_command =
mailbox_size_limit = 0
mydestination = ttt.pp.ua, mail.ttt.pp.ua, localhost.ttt.pp.ua, localhost
mydomain = ttt.pp.ua
myhostname = mail.ttt.pp.ua
mynetworks = 127.0.0.0/8 192.168.0.0/24 11.111.111.111/32
myorigin = $mydomain
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_helo_required = yes

smtpd_recipient_restrictions = warn_if_reject, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client zen.spamhaus.org, reject_rhsbl_reverse_client dbl.spamhaus.org, reject_rhsbl_helo dbl.spamhaus.org, reject_rhsbl_sender dbl.spamhaus.org

smtpd_relay_restrictions = warn_if_reject, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot

smtpd_sender_restrictions = warn_if_reject, reject_unknown_sender_domain

smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes

smtpd_enforce_tls = yes
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes

smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous