Mail server configuring. Part 2. Additional rules for mail filtering. DNSBL

It is the second article from the "Mail Server Settings" cycle.

The list of articles cycle



Additional rules for mail filtering.

To reduce the amount of spam, add some more filtering rules

At the end of the block smtpd_helo_restrictions we will add

check_helo_access hash:/etc/postfix/helo.list


And in the smtpd_recipient_restrictions block after the permit_sasl_authenticated rule insert

check_sender_access hash:/etc/postfix/ext_sender,


Create a file /etc/postfix/helo.list

#touch /etc/postfix/helo.list


We will open it for editing and write in it the string: 550 Don't use my hostname


And create an indexed map from it:

#postmap /etc/postfix/helo.list


Create a file /etc/postfix/ext_sender

#touch /etc/postfix/ext_sender


We will open it for editing and write in it the string:

study.local 550 Do not use my domain in your envelope sender


And create an indexed map from it:

#postmap /etc/postfix/ext_sender


The check_helo_access rule checks what the sending server sends in the HELO command. If it appears under our own name (the string in the /etc/postfix/helo.list file), the connection will be terminated. In a normal situation, no server can represented by our name, so it's likely to be a spam server.

The check_sender_access rule checks the sender address of the message. In the case where the sender is from our own domain (study.local line in the file /etc/postfix/ext_sender), the letter will be denied. A letter with such sender can not come from any sender from the outside. Such letter can be sent only from user on our server. And then the connection will be protected by a login and password and in this case the letter will be accepted according to permit_sasl_authenticated rule, which stands before denied rules.


We also need to add another check:


This rule block mesaage receipt in case of wrong DNS configurationmissing or wrong domain name (A-record in DNS) or missing or incorrect reverse zone (PTR-record in DNS). You must insert this rule in smtpd_helo_restrictions block right after permit_sasl_authenticated rule.


Using blacklists of spammers — DNSBL

DNSBL — DNS blacklist or DNS blocklist — hosts lists based on the DNS architecture. Usually used to protect against spam. The mail server accesses DNSBL and checks the IP address of the clients from which it receives the message. In the case of a positive response, it is assumed that a spam message is received. The server reports error 5xx (fatal error) and the message is not accepted. A "refusal" message is sent to the sender's mail server about non-delivery of the email.

To use blacklists of servers, you must add the following lines at the end of the smtpd_helo_restrictions rule block:

Where is the DNSBL service address
You can find a lot of such lists in the Internet, but the following are most commonly used:

You should be very careful when using DNSBL. Free services can stop at any time, insert normal servers in the blacklist or create other troubles. That’s why they should be used very carefully.


The list of articles cycle

You can buy the book

"Mail server based on Postfix,

Dovecot and RoundCube"

in electronic form in the store