Skip to content

Postfix usage

Jump to bottom
Marco Favero edited this page Mar 21, 2017 · 3 revisions

Postscreen whitelist

You can inject whitelist of networks directly into whitelist postscreen:

postscreen_access_list = permit_mynetworks,
        cidr:/etc/postfix/postscreen_access.cidr,
        mysql:/etc/postfix/mysql-postscreen.cf

where mysql-postscreen.cf is:

hosts = inet:fqdn:3306
user = blackman
password = rbl
dbname = rbl
query = SELECT network FROM whitenet WHERE ((inet_aton('%s') & netmask) = network) AND active = '1' AND `exp` > NOW()
result_format = permit

Postscreen combined DNSBL

If you have exported your IP lists over DNS server, you can add your DNSBL to your Postscreen:

postscreen_dnsbl_sites = zen.spamhaus.org*4
        bl.spamcop.net*1
        spamip.rbl.example.com*4
        whiteip.rbl.example.com*-3
        [...]

SPAM IP blocklist at SMTP level

You can block some zombie spam ip in client restriction:

smtpd_client_restrictions = check_client_access hash:/etc/postfix/access,
                                                mysql:/etc/postfix/mysql-clientrbl.cf
                permit_sasl_authenticated,
                [...]
                reject

where mysql-clientrbl.cf is

hosts = inet:fqdn:3306
user = blackman
password = rbl
dbname = rbl
query = SELECT reason FROM spamip WHERE ip = INET_ATON ('%s') AND active = '1' AND `exp` > NOW()
result_format = REJECT %s

Usually this is not the best use of blacklist. You could prefer to block spam ips through Spamassassin rules, exporting blocklist in DNSBL format (see at RBLDNS usage).

Blocklist of SPAM sender addresses

You can block unwanted sender envelope addresses:

smtpd_sender_restrictions =
                reject_non_fqdn_sender,
                reject_unknown_sender_domain,
                reject_unlisted_sender,
                check_sender_access regexp:/etc/postfix/banned_senders_rules
                                    mysql:/etc/postfix/mysql-senderrbl.cf,
                 [...]

where mysql-senderrbl.cf is

hosts = inet:fqdn:3306
user = blackman
password = rbl
dbname = rbl
query = SELECT `reason` FROM `spamsender` WHERE `email` = '%s' AND `active` = '1' AND `exp` > NOW()
result_format = REJECT %s

Don't limit your imaginary. You can do similar thing with whitelist sender, for instance.

Blocklist of SASL usernames

You can block unwanted username. For instance compromised usernames:

smtpd_sender_restrictions =
                reject_non_fqdn_sender,
                reject_unknown_sender_domain,
                reject_unlisted_sender,
##                reject_unverified_sender,
                check_sasl_access mysql:/etc/postfix/mysql-sasl_access.cf,
                check_sender_access regexp:/etc/postfix/banned_senders_rules
                                    mysql:/etc/postfix/mysql-senderrbl.cf,

where mysql-sasl_access.cf is

hosts = inet:rblmanager.example.com:3306
user = blackman
password = password
dbname = rbl
query = SELECT `reason` FROM `spamusername` WHERE `username` = '%s' AND `active` = '1' AND `exp` > NOW()
result_format = REJECT %s
Clone this wiki locally