How to enable RBL checking in postfix?

postfix email-server rbl
30,306

Solution 1

Your reject_rbl_client declaration goes into the smtpd_recipient_restrictions declaration found in main.cf. For my CentOS machines, that's in /etc/postfix/. The code you posted tends to show up in master.cf. That's a different file all-together.

This is what my smtpd_recipient_restrictions definition looks like:

smtpd_recipient_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_unauth_destination
        reject_unauth_pipelining,
        check_client_access hash:/etc/postfix/rbl_override,
        reject_unknown_reverse_client_hostname,
        reject_invalid_helo_hostname,
        reject_non_fqdn_helo_hostname,
        reject_non_fqdn_sender,
        reject_non_fqdn_recipient,
        reject_unknown_sender_domain,
        reject_unknown_recipient_domain,
        reject_invalid_hostname,
        check_client_access hash:/etc/postfix/client_checks,
        reject_rbl_client zen.spamhaus.org,
        reject_rbl_client bl.spamcop.net,
        reject_rbl_client b.barracudacentral.org,
        reject_rbl_client dnsbl.sorbs.net,
        check_policy_service unix:private/policy,
        permit

Solution 2

As the others said, you put reject_rbl_client in wrong place. Set it in smtpd line master.cf or in main.cf.

If your postfix has version 2.8 higher, you can put the RBL checking in postscreen. You can get more info in Postscreen Howto page.

For example, the equivalent config of

reject_rbl_client sbl-xbl.spamhaus.org,
reject_rbl_client bl.spamcop.net

in postscreen terms is

postscreen_dnsbl_sites = sbl-xbl.spamhaus.org, bl.spamcop.net
postscreen_dnsbl_action = enforce

Some consideration where you put rbl check, smtpd_*_restriction or postscreen

Postcreen Pros

  • Check before any SMTP transaction because the input was only IP address
  • Use Caching mechanism when IP address doesn't found in RBL
  • Support weighted score for dnsbl site (for example your internal RBL was more trusted than spamhaus RBL, then you can put postscreen_dnsbl_sites = internal.rbl.example.com*3, spamhaus.org)
  • Weight can be negative value to get same effect with permit_dnswl_client

Postcreen Cons

See Sebix answer to this question and a thread in postfix mailing list

Share:
30,306

Related videos on Youtube

Sfisioza
Author by

Sfisioza

I'm a regular javascript developer :) Regular developer, not regular javascript.

Updated on September 18, 2022

Comments

  • Sfisioza
    Sfisioza almost 2 years

    How to enable RBL filters in postfix?

    My current configuration:

    submission inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
  -o smtpd_helo_restrictions=
  -o smtpd_sender_restrictions=reject_sender_login_mismatch,permit
  -o receive_override_options=no_header_body_checks,no_address_mappings
  -o smtpd_sender_restrictions=permit_sasl_authenticated,reject
  -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject

    The mails are being sent and recieved.

    When I add:

    reject_rbl_client sbl-xbl.spamhaus.org,
reject_rbl_client bl.spamcop.net

    Thunderbird loops forever during sending and nothing happens. /var/log/mail.* are empty.

    • Admin
      Admin over 9 years
      This section of master.cf is for your outgoing mail, not your incoming mail. That's why it doesn't work here.
  • David W
    David W over 7 years
    I'm currently researching a better postscreen implementation than the default, and I just stumbled upon this answer. Then I noticed that I answered this very same question! As of today, I've moved all of my RBL rules from smtpd_recipient_restrictions into postscreen. I've upvoted your answer. Thanks! :)
  • Miloš Đakonović
    Miloš Đakonović over 6 years
    Keep in mind that many of clients (like Baracuda Central) requires that you register public IP address of server before usage. Some of them may not be free for your type of usage.
  • David W
    David W over 6 years
    Very good point. I should have thought to include that.
  • dstonek
    dstonek over 5 years
    reject_unknown_client_hostname "...This is a stronger restriction than the reject_unknown_reverse_client_hostname feature..."
  • KJ7LNW
    KJ7LNW over 2 years
    David, how are you using use rb_override and client_checks (what purpose)? Can you extend your question with a couple samples and brief description?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Multiple mail servers for a single domain
ubuntu PostFix + Dovecot mail server
Postfix - How to prevent external clients from using my server as a relay?
Can't connect to a postfix server though port 25 is open
CLAMAV on Centos Mail Server: Can't connect to UNIX socket clamd.sock
X-Postfix; Mailboxes not found when mail comes from others servers
postfix: Temporary lookup failure for FQDN
Office 365 Relay access denied (in reply to RCPT TO command)
How to configure sendmail (or postfix) to send confirmation emails using webmin?
Zimbra doesn't send mail via smtp relay anmore