I took the following steps to make my email system more secure and robust.
- close port 587 and 143, use port 993 and 465 with SSL instead (reference).
- disable SASL auth on port 25 (reference).
- use policyd-rate-limit to limit sending rate (reference).
- use postscreen for anti-bot and RBL scoring (reference).
- use policyd-spf to check sender IP’s SPF and reject the failed one (reference).
- use OpenDMARC to check sender domain’s DMARC and reject the failed one (reference).
- OpenDKIM is also deployed for either incoming messages (check signatures) or outgoing messages (add signatures) (reference).
- have reject_unknown_client_hostname, reject_unknown_sender_domain options for smtpd_sender_restrictions (reference).
- stop sasl user use any email account as envelope address (reference).
- rspamd for email content security (reference).
With those steps, it can reduce spam and reduce the chance of abuse of the mail system.
If you have interests in my mail system, please check this site.