How to enable RBL checking in postfix?

postfix email-server rbl

How to enable RBL filters in postfix?

My current configuration:

submission inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
  -o smtpd_helo_restrictions=
  -o smtpd_sender_restrictions=reject_sender_login_mismatch,permit
  -o receive_override_options=no_header_body_checks,no_address_mappings
  -o smtpd_sender_restrictions=permit_sasl_authenticated,reject
  -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject

The mails are being sent and recieved.

When I add:

reject_rbl_client sbl-xbl.spamhaus.org,
reject_rbl_client bl.spamcop.net

Thunderbird loops forever during sending and nothing happens. /var/log/mail.* are empty.


Your reject_rbl_client declaration goes into the smtpd_recipient_restrictions declaration found in main.cf. For my CentOS machines, that's in /etc/postfix/. The code you posted tends to show up in master.cf. That's a different file all-together.

This is what my smtpd_recipient_restrictions definition looks like:

smtpd_recipient_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_unauth_destination
        reject_unauth_pipelining,
        check_client_access hash:/etc/postfix/rbl_override,
        reject_unknown_reverse_client_hostname,
        reject_invalid_helo_hostname,
        reject_non_fqdn_helo_hostname,
        reject_non_fqdn_sender,
        reject_non_fqdn_recipient,
        reject_unknown_sender_domain,
        reject_unknown_recipient_domain,
        reject_invalid_hostname,
        check_client_access hash:/etc/postfix/client_checks,
        reject_rbl_client zen.spamhaus.org,
        reject_rbl_client bl.spamcop.net,
        reject_rbl_client b.barracudacentral.org,
        reject_rbl_client dnsbl.sorbs.net,
        check_policy_service unix:private/policy,
        permit

As the others said, you put reject_rbl_client in wrong place. Set it in smtpd line master.cf or in main.cf.

If your postfix has version 2.8 higher, you can put the RBL checking in postscreen. You can get more info in Postscreen Howto page.

For example, the equivalent config of

reject_rbl_client sbl-xbl.spamhaus.org,
reject_rbl_client bl.spamcop.net

in postscreen terms is

postscreen_dnsbl_sites = sbl-xbl.spamhaus.org, bl.spamcop.net
postscreen_dnsbl_action = enforce

Some consideration where you put rbl check, smtpd_*_restriction or postscreen

Postcreen Pros

  • Check before any SMTP transaction because the input was only IP address
  • Use Caching mechanism when IP address doesn't found in RBL
  • Support weighted score for dnsbl site (for example your internal RBL was more trusted than spamhaus RBL, then you can put postscreen_dnsbl_sites = internal.rbl.example.com*3, spamhaus.org)
  • Weight can be negative value to get same effect with permit_dnswl_client

Postcreen Cons

  • You can exclude RBL checking from some sender/recipient. You still can whitelist IP Address.

See Sebix answer to this question and a thread in postfix mailing list

Related

Ansible repeating roles
Nginx Site Config Templates and Variables
Limit SSH key to SCP only
Search Active Directory for computers logged in, in the last 30 days
Loop through servers and run command
Is it still allowed to have log files under the new GDPR? [closed]
Is it normal that one can access MySQL as root without entering password, although password is set?
Recommended personal mail server setup [closed]
VPN Solutions for Linux server and Windows, Linux, and OSX clients?
How to detect rogue WIFI routers on a network?
Installing Mozilla extension from command line
Locate, Find, Which - How do I launch an index/scan command for these utilities?