How To Block Spam Before It Enters The Server (Postfix)

Version 1.0
Author: Falko Timme

The last few weeks have seen a dramatic increase in spam (once again). Estimates say that spam makes now up for 80 - 90% of all emails, and many mail servers have difficulties in managing the additional load caused by the latest spam, and spam filters such as SpamAssassin do not recognize large parts of that spam as they did before. Fortunately, we can block a big amount of that spam at the MTA level, for example by using blacklists, running tests on the sender and recipient domains, etc. An additional benefit of doing this is that it lowers the load on the mail servers because the (resource-hungry) spamfilters have to look at less emails.

I do not issue any guarantee that this will work for you!

 

1 Preliminary Note

This is just a quick guide showing you how you can configure Postfix (2.x and 1.x) to block spam before entering the server. It's more or less self-explanatory. However, after applying this to your own mail server, you should check the mail log to make sure that no legitmate mails are blocked.

You should also take a look at this guide: https://www.howtoforge.com/virtual_postfix_antispam

And this category: https://www.howtoforge.com/taxonomy_menu/1/78/24 has some more great anti-spam solutions.

 

2 Postfix 2.x

Open /etc/postfix/main.cf and place the following lines in it (replacing the respective settings if they exist):

vi /etc/postfix/main.cf
[...]
smtpd_helo_required = yes
disable_vrfy_command = yes
strict_rfc821_envelopes = yes
invalid_hostname_reject_code = 554
multi_recipient_bounce_reject_code = 554
non_fqdn_reject_code = 554
relay_domains_reject_code = 554
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unknown_sender_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_sender_reject_code = 554

smtpd_recipient_restrictions =
            reject_invalid_hostname,
            reject_unknown_recipient_domain,
            reject_unauth_pipelining,
            permit_mynetworks,
            permit_sasl_authenticated,
            reject_unauth_destination,
            reject_rbl_client multi.uribl.com,
            reject_rbl_client dsn.rfc-ignorant.org,
            reject_rbl_client dul.dnsbl.sorbs.net,
            reject_rbl_client list.dsbl.org,
            reject_rbl_client sbl-xbl.spamhaus.org,
            reject_rbl_client bl.spamcop.net,
            reject_rbl_client dnsbl.sorbs.net,
            reject_rbl_client cbl.abuseat.org,
            reject_rbl_client ix.dnsbl.manitu.net,
            reject_rbl_client combined.rbl.msrbl.net,
            reject_rbl_client rabl.nuclearelephant.com,
            permit
[...]

Restart Postfix afterwards:

/etc/init.d/postfix restart

 

3 Postfix 1.x

Open /etc/postfix/main.cf and place the following lines in it (replacing the respective settings if they exist):

vi /etc/postfix/main.cf
[...]
smtpd_helo_required = yes
disable_vrfy_command = yes
strict_rfc821_envelopes = yes
invalid_hostname_reject_code = 554
multi_recipient_bounce_reject_code = 554
non_fqdn_reject_code = 554
relay_domains_reject_code = 554
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unknown_sender_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_sender_reject_code = 554

maps_rbl_domains =
            multi.uribl.com,
            dsn.rfc-ignorant.org,
            dul.dnsbl.sorbs.net,
            list.dsbl.org,
            sbl-xbl.spamhaus.org,
            bl.spamcop.net,
            dnsbl.sorbs.net,
            cbl.abuseat.org,
            ix.dnsbl.manitu.net,
            combined.rbl.msrbl.net,
            rabl.nuclearelephant.com

smtpd_recipient_restrictions =
            permit_sasl_authenticated,
            permit_mynetworks,
            reject_invalid_hostname,
            reject_non_fqdn_hostname,
            reject_non_fqdn_sender,
            reject_unknown_sender_domain,
            reject_unknown_recipient_domain,
            reject_maps_rbl,
            check_relay_domains
[...]

Restart Postfix afterwards:

/etc/init.d/postfix restart

 

4 More Blacklists

You can find more DNS & RHS blackhole lists that you can add to your Postfix configuration here: http://spamlinks.net/filter-dnsbl-lists.htm

 

5 Links

Share this page:

Suggested articles

14 Comment(s)

Add comment

Comments

By:
Reply  

please, do not use non exist and old databases.

first, do not use relays.ordb.org. this service is down since 18 dec 2006. next, composite rbl database sbl-xbl.spamhaus.org is superseded by zen.spamhaus.org.

then i have quick check other proposed rbl databases if exists A dns record for them. unfortunately, only bl.spamcop.net, dnsbl.sorbs.net, cbl.abuseat.org and ix.dnsbl.manitu.net exists.

 

By:
Reply  

ix.dnsbl.manitu.net doesnt work  for me :?


Jun  7 17:05:48 server2 postfix/smtpd[23305]: warning: 195.32.73.212.ix.dnsbl.manitu.net: RBL lookup error: Host or domain name not found. Name service error for name=195.32.73.212.ix.dnsbl.manitu.net type=A: Host not found, try again


Jun  7 17:05:56 server2 postfix/smtpd[23522]: warning: 74.8.55.212.ix.dnsbl.manitu.net: RBL lookup error: Host or domain name not found. Name service error for name=74.8.55.212.ix.dnsbl.manitu.net type=A: Host not found, try again


Jun  7 17:07:31 server2 postfix/smtpd[23522]: warning: 175.92.249.66.ix.dnsbl.manitu.net: RBL lookup error: Host or domain name not found. Name service error for name=175.92.249.66.ix.dnsbl.manitu.net type=A: Host not found, try again


By: admin
Reply  

The above warnings are normal for the ix.dnsbl.manitu.net list. They mean that the sender IP is not blacklisted.

By:
Reply  

    Thanks for the info :)

By:
Reply  

rejecting senders with the above method is problematic, cause the reject decission is based on the first match of a single test, you should consider to implement:

 http://www.policyd-weight.org/

policyd-weight is calculating a score, based on different tests (HELO, MX, DNSBL, RHSBL) and only if the resulting score is passing a certain value the sender is rejected.

also policyd-weight is implementing a caching mechanism for the blacklist lookups

 

 

By:
Reply  

The following line should be removed from the above main.cf:

reject_rbl_client list.dsbl.org

list.dsbl.org is no longer available.

For more info, see this web page:

http://dsbl.org/

Otherwise, the above guide has worked well for me.

Thanks,

Gary

By: Ananya
Reply  

Spam Filter Blacklist is a site which I came across lists the Words, IP address, Email Id's, and Domains most commonly used by the spammers. These contents help us a lot before we can filter the emails for spam.

By: OJS
Reply  

Thank you so very much! IT WORKS!!!!! No need to buy these expensive spam-filters. I have indeed reduced my overall spam by as much as 90% WOW!!!!!!!!!

 

Thank you Thank you Thank you

By: Senthil
Reply  

These settings work great, but occasionally an ill configured legit server mail gets bounced away.  Is there a way to simple accept all messages and mark a spam header so the client filter it out?

By: AnonymousSpamEater
Reply  

I had dialup.rbl.kropka.net in my reject-lists as well, do not use it as it started rejecting ALL E-Mail a couple days ago!

By: Seveninternet
Reply  

Great information about Email Spam protection. Its really help us so please keep it up continue.......

By: Atleast
Reply  

Appreciate your great help. What is the difference between default 550 and 554 please? I had #unknown_local_recipient_reject_code = 550 already on but i added yours with 554.

Also are there any RBL servers that are redundant or not in use? I am bit confused of zen and sbl-x of spamcop.

Is there any way to verify if they work.

By: fox
Reply  

how to use my own blacklist ? Eg IP ranges block all russioan senders ?

By: Kamil
Reply  

Please put date article and comments.