7

How to enable RBL filters in postfix?

My current configuration:

submission inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
  -o smtpd_helo_restrictions=
  -o smtpd_sender_restrictions=reject_sender_login_mismatch,permit
  -o receive_override_options=no_header_body_checks,no_address_mappings
  -o smtpd_sender_restrictions=permit_sasl_authenticated,reject
  -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject

The mails are being sent and recieved.

When I add:

reject_rbl_client sbl-xbl.spamhaus.org,
reject_rbl_client bl.spamcop.net

Thunderbird loops forever during sending and nothing happens. /var/log/mail.* are empty.

1
  • This section of master.cf is for your outgoing mail, not your incoming mail. That's why it doesn't work here. Commented Jan 22, 2015 at 15:17

2 Answers 2

10

Your reject_rbl_client declaration goes into the smtpd_recipient_restrictions declaration found in main.cf. For my CentOS machines, that's in /etc/postfix/. The code you posted tends to show up in master.cf. That's a different file all-together.

This is what my smtpd_recipient_restrictions definition looks like:

smtpd_recipient_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_unauth_destination
        reject_unauth_pipelining,
        check_client_access hash:/etc/postfix/rbl_override,
        reject_unknown_reverse_client_hostname,
        reject_invalid_helo_hostname,
        reject_non_fqdn_helo_hostname,
        reject_non_fqdn_sender,
        reject_non_fqdn_recipient,
        reject_unknown_sender_domain,
        reject_unknown_recipient_domain,
        reject_invalid_hostname,
        check_client_access hash:/etc/postfix/client_checks,
        reject_rbl_client zen.spamhaus.org,
        reject_rbl_client bl.spamcop.net,
        reject_rbl_client b.barracudacentral.org,
        reject_rbl_client dnsbl.sorbs.net,
        check_policy_service unix:private/policy,
        permit
4
  • 1
    Keep in mind that many of clients (like Baracuda Central) requires that you register public IP address of server before usage. Some of them may not be free for your type of usage. Commented Dec 1, 2017 at 10:40
  • Very good point. I should have thought to include that.
    – David W
    Commented Dec 3, 2017 at 16:46
  • reject_unknown_client_hostname "...This is a stronger restriction than the reject_unknown_reverse_client_hostname feature..."
    – dstonek
    Commented Feb 16, 2019 at 23:14
  • David, how are you using use rb_override and client_checks (what purpose)? Can you extend your question with a couple samples and brief description?
    – KJ7LNW
    Commented Oct 18, 2021 at 18:51
7

As the others said, you put reject_rbl_client in wrong place. Set it in smtpd line master.cf or in main.cf.

If your postfix has version 2.8 higher, you can put the RBL checking in postscreen. You can get more info in Postscreen Howto page.

For example, the equivalent config of

reject_rbl_client sbl-xbl.spamhaus.org,
reject_rbl_client bl.spamcop.net

in postscreen terms is

postscreen_dnsbl_sites = sbl-xbl.spamhaus.org, bl.spamcop.net
postscreen_dnsbl_action = enforce

Some consideration where you put rbl check, smtpd_*_restriction or postscreen

Postcreen Pros

  • Check before any SMTP transaction because the input was only IP address
  • Use Caching mechanism when IP address doesn't found in RBL
  • Support weighted score for dnsbl site (for example your internal RBL was more trusted than spamhaus RBL, then you can put postscreen_dnsbl_sites = internal.rbl.example.com*3, spamhaus.org)
  • Weight can be negative value to get same effect with permit_dnswl_client

Postcreen Cons

See Sebix answer to this question and a thread in postfix mailing list

1
  • I'm currently researching a better postscreen implementation than the default, and I just stumbled upon this answer. Then I noticed that I answered this very same question! As of today, I've moved all of my RBL rules from smtpd_recipient_restrictions into postscreen. I've upvoted your answer. Thanks! :)
    – David W
    Commented Feb 14, 2017 at 11:34

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .