I take the following steps to make my email system more secure and solid.

  • close port 587 and 143, use port 993 and 465 with ssl only.
  • disable sasl auth on port 25.
  • disable sasl user to abuse envelope addresses.
  • use postscreen for anti-bot and RBL scoring.
  • use policyd-rate-limit to limit sending rate.
  • use policyd-spf to check sender IP's SPF and reject the failed one.
  • use opendmarc to check sender domain's DMARC and reject the failed one.
  • opendkim for either incoming messages (check signatures) or outgoing messages (add signatures).
  • have reject_unknown_client_hostname, reject_unknown_sender_domain options for smtpd_sender_restrictions.
  • rspamd for email content security.
  • fail2ban to stop malicious user behavior, such as brute force.
  • consider to use spamhaus XBL for submission.

And, if fail2ban blocks too many bad IPs, iptables will be possible to become slow. Here are some steps to optimize system filrewall.

  • setup iptables + ipset for fail2ban, or
  • update the system to use nftables, or
  • setup null route