Spammers often use specific tricks to send spam, such as domain names that cannot exist, fixed IPs from which spam is sent, etc. In this article, we show how to let Postfix perform checks on commonly used spam techniques and use blacklists and whitelists. You can choose from public blacklists or manually create your own black- or whitelist.
With a public blacklist check, the sender's IP address is checked against the blacklist. With a manual blacklist, the blacklist can be set based on IP address or domain. If a sender is on the blacklist, the emails are blocked using the steps in this article.
- For the steps in this guide, you need a VPS with Ubuntu, Debian, CentOS Stream, AlmaLinux, or Rocky Linux with Postfix and Dovecot. In this guide, we explain how to install and configure Postfix and Dovecot. For this guide, we assume you have completed that guide.
- Execute the commands in this guide with sudo, or as the root user.
Public Blacklists & Advanced Spam Control
Step 1
Connect to your VPS via SSH or the VPS console in the TransIP control panel.
Step 2
Open the configuration of Postfix:
nano /etc/postfix/main.cf
Step 3
Search for 'smtpd_recipient_restrictions' (with ctrlshift_ followed by v). Adjust the code so that it looks like the example below.
smtpd_recipient_restrictions =
permit_mynetworks,
reject_rhsbl_helo dbl.spamhaus.org,
reject_rhsbl_sender dbl.spamhaus.org,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net
- reject_rhsbl_helo: Postfix checks if the client or hostname HELO is blacklisted at Spamhaus.
- reject_rhsbl_sender: Postfix rejects email if the MAIL FROM domain is blacklisted at Spamhaus.
- reject_rbl_client: Checks if the client's IP address is blacklisted at Spamhaus or Spamcop.
If any of the above conditions are met, the email is blocked.
Optionally, you can expand this with the following lines, see the explanation below.
smtpd_recipient_restrictions =
permit_mynetworks,
reject_rhsbl_helo dbl.spamhaus.org,
reject_rhsbl_sender dbl.spamhaus.org,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net,
reject_unauth_pipelining,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain
- reject_unauth_pipelining: Postfix supports a technique known as pipelining that speeds up the mass delivery of email by sending multiple smtp commands at once. The protocol requires clients to first check if the server supports pipelining. Many spammers send a series of commands without waiting for authorization to deliver their messages as quickly as possible. reject_unauth_pipelining blocks email from bulk mail software that wrongly uses pipelining to speed up deliveries.
- reject_non_fqdn_recipient: Checks if the email address contains a domain name (e.g., mail@example instead of mail@example.com). If not, the email is rejected.
- reject_unknown_recipient_domain: If an email is sent to a domain that you do not process mail for on your server, the email is rejected.
Save your changes and close the file (ctrl + x > y > enter).
Step 4
Finally, restart Postfix to process the changes:
systemctl restart postfix
Incoming mail is now automatically scanned to check if the sender is on a blacklist.
Manual Blacklist / Whitelist
Step 1
Connect to your VPS via SSH or the VPS console in the TransIP control panel.
Step 2
Open the configuration of Postfix:
nano /etc/postfix/main.cf
Step 3
Search for 'smtpd_recipient_restrictions' (with ctrlshift_ followed by v) and add the following line:
check_sender_access
hash:/etc/postfix/sender_access,
If you have completed the previous steps in this article, the smtp_recipient_restrictions now look like this:
smtpd_recipient_restrictions =
permit_mynetworks,
check_sender_access
hash:/etc/postfix/sender_access,
reject_rhsbl_helo dbl.spamhaus.org,
reject_rhsbl_sender dbl.spamhaus.org,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net,
reject_unauth_pipelining,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain
This indicates that the postfix black- and whitelist should be checked in the file /etc/postfix/sender_access.
Save your changes and close the file (ctrl + x > y > enter).
Step 4
Open or create the new blacklist/whitelist file:
nano /etc/postfix/sender_access
Step 5
Give the file the following content, where you indicate domains / (parts of) email addresses that you whitelist with 'OK' and blacklist with 'REJECT'.
# /etc/postfix/sender_access
#
# Black/Whitelist for senders matching the 'MAIL FROM' field. Examples...
#
myfriend@example.com OK
junk@spam.com REJECT
marketing@ REJECT
theboss@ OK
deals.marketing.com REJECT
somedomain.com OK
Save your changes and close the file (ctrl + x > y > enter).
Step 7
Finally, restart Postfix to process the changes:
systemctl restart postfix
Incoming mail is now automatically scanned to check if the sender is on your own blacklist.
With that, we have come to the end of this guide on blacklist control in Postfix. If you have any questions based on this guide, do not hesitate to contact our support department. You can reach them via the 'Contact us' button at the bottom of this page.