Many administrators focus on inbound spam filtering but neglect outgoing mail inspection. This creates risks of compromised accounts being used for spam. Postfix can be configured to scan outgoing messages using the same spam detection tools typically used for inbound mail.
The most effective method involves using Amavis as a content filter. Your current configuration already includes:
content_filter = smtp-amavis:[127.0.0.1]:10024But we need to ensure this applies to outgoing messages as well.
Add these lines to your master.cf to enable filtering on the submission port:
submission inet n - - - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o content_filter=smtp-amavis:[127.0.0.1]:10024Edit your amavisd.conf to ensure outgoing messages are scanned:
$policy_bank{'OUTGOING'} = {
originating => 1, # declare originating mail
allow_disclaimers => 0, # don't modify outgoing messages
spam_quarantine_to => 'spam-out@yourdomain.com', # special quarantine
spam_tag_level_maps => [1.0], # tag suspicious outgoing mail
spam_tag2_level_maps => [3.0], # quarantine clearly spam
spam_tag3_level_maps => [5.0], # reject obvious spam
};Enhance your Postfix logging to track outgoing spam attempts:
# In main.cf
smtpd_recipient_restrictions =
check_sender_access hash:/etc/postfix/outgoing_checks,
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destinationCreate /etc/postfix/outgoing_checks with special handling rules:
# Reject messages with suspicious headers
/^Received:/ REJECT Suspicious Received header in outgoing mail
/^X-Originating-IP:/ REJECT Forged X-Originating-IP headerWhen implementing outgoing spam filtering:
- Whitelist legitimate bulk mail senders
- Set appropriate spam score thresholds for outgoing mail
- Implement separate quarantine for outgoing spam
- Monitor false positives closely
After making changes, verify your setup:
postfix check
postfix reload
amavisd-new reloadTest with:
swaks --to test@example.com --server localhost:587 -tls -a -au user -ap passwordCheck logs for spam scanning results:
grep 'Passed SPAM' /var/log/mail.log
grep 'Blocked SPAM' /var/log/mail.logMany administrators focus on inbound spam filtering but neglect outgoing mail checks. This oversight can lead to compromised accounts spreading spam without detection. Postfix can be configured to scan all outgoing messages through content filters like Amavis or SpamAssassin.
Your existing setup shows you're already using content_filter with Amavis (smtp-amavis:[127.0.0.1]:10024). However, this appears to be only for incoming mail. We need to modify both main.cf and master.cf to handle outgoing messages.
First, let's modify the submission service in master.cf to route outgoing mail through your spam filter:
submission inet n - - - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o content_filter=smtp-amavis:[127.0.0.1]:10026
-o receive_override_options=no_address_mappings
You'll need to ensure Amavis is listening on port 10026 for outgoing scans. Add this to your master.cf:
127.0.0.1:10026 inet n - y - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o strict_rfc821_envelopes=yes
For more granular control, implement header checks for outgoing mail. Add to main.cf:
smtpd_header_checks = regexp:/etc/postfix/outgoing_header_checks
Then create /etc/postfix/outgoing_header_checks with rules like:
/^Subject:.*(viagra|cialis|porn)/ REJECT Spam-like content detected
Enhance your logging to track outgoing spam attempts. Add to main.cf:
smtpd_junk_command_limit = 10
debug_peer_level = 2
debugger_command =
When scanning all outgoing mail, consider these optimizations:
# In main.cf
smtpd_proxy_filter_timeout = 120s
smtpd_proxy_options = speed_adjust
After making changes, test with:
postmap /etc/postfix/outgoing_header_checks
postfix reload
Send test emails and check logs:
tail -f /var/log/mail.log | grep amavis