Home / server / Questions / 661558
In Process
Sfisioza
Asked: 2015-01-23 06:06:26 +0800 CST

How to enable RBL checking in postfix?

  • 772

How to enable RBL filters in postfix?

My current configuration:

submission inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
  -o smtpd_helo_restrictions=
  -o smtpd_sender_restrictions=reject_sender_login_mismatch,permit
  -o receive_override_options=no_header_body_checks,no_address_mappings
  -o smtpd_sender_restrictions=permit_sasl_authenticated,reject
  -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject

The mails are being sent and recieved.

When I add:

reject_rbl_client sbl-xbl.spamhaus.org,
reject_rbl_client bl.spamcop.net

Thunderbird loops forever during sending and nothing happens. /var/log/mail.* are empty.

postfix

2 Answers

  1. Your reject_rbl_client declaration goes into the smtpd_recipient_restrictions declaration found in main.cf. For my CentOS machines, that's in /etc/postfix/. The code you posted tends to show up in master.cf. That's a different file all-together.

    This is what my smtpd_recipient_restrictions definition looks like:

    smtpd_recipient_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_unauth_destination
        reject_unauth_pipelining,
        check_client_access hash:/etc/postfix/rbl_override,
        reject_unknown_reverse_client_hostname,
        reject_invalid_helo_hostname,
        reject_non_fqdn_helo_hostname,
        reject_non_fqdn_sender,
        reject_non_fqdn_recipient,
        reject_unknown_sender_domain,
        reject_unknown_recipient_domain,
        reject_invalid_hostname,
        check_client_access hash:/etc/postfix/client_checks,
        reject_rbl_client zen.spamhaus.org,
        reject_rbl_client bl.spamcop.net,
        reject_rbl_client b.barracudacentral.org,
        reject_rbl_client dnsbl.sorbs.net,
        check_policy_service unix:private/policy,
        permit
    • 10

  2. As the others said, you put reject_rbl_client in wrong place. Set it in smtpd line master.cf or in main.cf.

    If your postfix has version 2.8 higher, you can put the RBL checking in postscreen. You can get more info in Postscreen Howto page.

    For example, the equivalent config of

    reject_rbl_client sbl-xbl.spamhaus.org,
reject_rbl_client bl.spamcop.net

    in postscreen terms is

    postscreen_dnsbl_sites = sbl-xbl.spamhaus.org, bl.spamcop.net
postscreen_dnsbl_action = enforce

    Some consideration where you put rbl check, smtpd_*_restriction or postscreen

    Postcreen Pros

    • Check before any SMTP transaction because the input was only IP address
    • Use Caching mechanism when IP address doesn't found in RBL
    • Support weighted score for dnsbl site (for example your internal RBL was more trusted than spamhaus RBL, then you can put postscreen_dnsbl_sites = internal.rbl.example.com*3, spamhaus.org)
    • Weight can be negative value to get same effect with permit_dnswl_client

    Postcreen Cons

    See Sebix answer to this question and a thread in postfix mailing list

    • 7