How to enable RBL checking in postfix?
Solution 1
Your reject_rbl_client
declaration goes into the smtpd_recipient_restrictions declaration found in main.cf. For my CentOS machines, that's in /etc/postfix/. The code you posted tends to show up in master.cf. That's a different file all-together.
This is what my smtpd_recipient_restrictions definition looks like:
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination
reject_unauth_pipelining,
check_client_access hash:/etc/postfix/rbl_override,
reject_unknown_reverse_client_hostname,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_invalid_hostname,
check_client_access hash:/etc/postfix/client_checks,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net,
reject_rbl_client b.barracudacentral.org,
reject_rbl_client dnsbl.sorbs.net,
check_policy_service unix:private/policy,
permit
Solution 2
As the others said, you put reject_rbl_client in wrong place. Set it in smtpd line master.cf
or in main.cf
.
If your postfix has version 2.8 higher, you can put the RBL checking in postscreen
. You can get more info in Postscreen Howto page.
For example, the equivalent config of
reject_rbl_client sbl-xbl.spamhaus.org,
reject_rbl_client bl.spamcop.net
in postscreen terms is
postscreen_dnsbl_sites = sbl-xbl.spamhaus.org, bl.spamcop.net
postscreen_dnsbl_action = enforce
Some consideration where you put rbl check, smtpd_*_restriction or postscreen
Postcreen Pros
- Check before any SMTP transaction because the input was only IP address
- Use Caching mechanism when IP address doesn't found in RBL
- Support weighted score for dnsbl site (for example your internal RBL was more trusted than spamhaus RBL, then you can put
postscreen_dnsbl_sites = internal.rbl.example.com*3, spamhaus.org
) - Weight can be negative value to get same effect with
permit_dnswl_client
Postcreen Cons
- You can exclude RBL checking from some sender/recipient. You still can whitelist IP Address.
See Sebix answer to this question and a thread in postfix mailing list
Related videos on Youtube
Sfisioza
I'm a regular javascript developer :) Regular developer, not regular javascript.
Updated on September 18, 2022Comments
-
Sfisioza almost 2 years
How to enable RBL filters in postfix?
My current configuration:
submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING -o smtpd_helo_restrictions= -o smtpd_sender_restrictions=reject_sender_login_mismatch,permit -o receive_override_options=no_header_body_checks,no_address_mappings -o smtpd_sender_restrictions=permit_sasl_authenticated,reject -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject
The mails are being sent and recieved.
When I add:
reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client bl.spamcop.net
Thunderbird loops forever during sending and nothing happens. /var/log/mail.* are empty.
-
Admin over 9 yearsThis section of master.cf is for your outgoing mail, not your incoming mail. That's why it doesn't work here.
-
-
David W over 7 yearsI'm currently researching a better postscreen implementation than the default, and I just stumbled upon this answer. Then I noticed that I answered this very same question! As of today, I've moved all of my RBL rules from smtpd_recipient_restrictions into postscreen. I've upvoted your answer. Thanks! :)
-
Miloš Đakonović over 6 yearsKeep in mind that many of clients (like Baracuda Central) requires that you register public IP address of server before usage. Some of them may not be free for your type of usage.
-
David W over 6 yearsVery good point. I should have thought to include that.
-
dstonek over 5 years
reject_unknown_client_hostname
"...This is a stronger restriction than the reject_unknown_reverse_client_hostname feature..." -
KJ7LNW over 2 yearsDavid, how are you using use rb_override and client_checks (what purpose)? Can you extend your question with a couple samples and brief description?