My postfix server is configured to reject emails based on a couple of spam block lists administered by spamhaus and spamcop.
After noticing that I've been receiving more spam than normal recently, I've discovered from logs that the last time an email was rejected based on a postiive result from either of these services was a week ago. I've made no changes to my postfix configuration for some time so nothing should have changed on the server.
I've run the tests here - https://blt.spamhaus.com/ and they are all getting through, which confirms to me that emails are not getting rejected as they should. Plus, I've checked the block list for the sending domains of a couple of the spam emails I've recevied and they are present, so should have been rejected.
I'm at a bit of a loss on how to troubleshoot this any further. There doesn't seem to be anything in the postfix logs that says "I'm not checking this block list because..." How can I find the root cause of this problem?
My smtp recipient restrictions are as follows:
smtpd_recipient_restrictions =
permit_mynetworks
check_sender_access
hash:/etc/postfix/sender_access
reject_unauth_destination
reject_unauth_pipelining
reject_invalid_hostname
reject_non_fqdn_sender
reject_unknown_sender_domain
reject_non_fqdn_recipient
reject_unknown_recipient_domain
reject_rbl_client bl.spamcop.net
reject_rbl_client zen.spamhaus.org
reject_rbl_client dul.dnsbl.sorbs.net
permit
smtpd_reject_unlisted_sender = yes
Output of postconf -n:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
biff = no
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix/sbin
disable_vrfy_command = yes
home_mailbox = Mail/
mailbox_command = /usr/lib/dovecot/deliver
mailbox_size_limit = 0
message_size_limit = 20480000
mydestination = b3.localdomain, localhost.localdomain, localhost, /etc/postfix/bubbadomains, $myhostname
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
recipient_delimiter = +
relayhost = smtp.gmail.com
sender_bcc_maps = hash:/etc/postfix/sender_bcc
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_discard_ehlo_keywords = silent-discard, dsn
smtpd_helo_required = yes
smtpd_recipient_restrictions = permit_mynetworks check_sender_access hash:/etc/postfix/sender_access reject_unauth_destination reject_unauth_pipelining reject_invalid_hostname reject_non_fqdn_sender reject_unknown_sender_domain reject_non_fqdn_recipient reject_unknown_recipient_domain reject_rbl_client bl.spamcop.net reject_rbl_client zen.spamhaus.org reject_rbl_client dul.dnsbl.sorbs.net permit
smtpd_reject_unlisted_sender = yes
smtpd_relay_restrictions = permit_mynetworks check_sender_access hash:/etc/postfix/sender_access reject_unauth_destination reject_unauth_pipelining reject_invalid_hostname reject_non_fqdn_sender reject_unknown_sender_domain reject_non_fqdn_recipient reject_unknown_recipient_domain reject_rbl_client bl.spamcop.net reject_rbl_client zen.spamhaus.org reject_rbl_client dul.dnsbl.sorbs.net permit
smtpd_tls_cert_file = /etc/letsencrypt/live/mydomain.co.uk/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mydomain.co.uk/privkey.pem
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtpd_use_tls = yes
unknown_local_recipient_reject_code = 550
So, although dig requests (e.g.
dig @localhost a 185.176.220.75.zen.spamhaus.org
) were returning expected results, leading me to assume there was no network/DNS issue, I did find in my OpenDNS dashboard some evidence of spamhaus and spamcop DNS requests being blocked. There was no reason given and at the time of checking there was no category associated with them, so it's possible this is/was a transient problem that was going to correct itself. Rather than leave it to chance though, I specifically whitelisted these domains. After a few minutes I ran the email tests from spamhaus again, and the ones I expected to get blocked did.