LinuxQuestions.org - how to Blacklist specific email in postfix

- Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)

- - how to Blacklist specific email in postfix (https://www.linuxquestions.org/questions/linux-server-73/how-to-blacklist-specific-email-in-postfix-656019/)

how to Blacklist specific email in postfix

Hi all,

I have installed postfix in my ubuntu server and i am trying to blacklist a specific email address to a specific user or the whole domain itself. Is there a work around on this. I've searched google and i found this...

http://www.cyberciti.biz/faq/howto-b...email-address/

same within this forum....
http://www.linuxquestions.org/questi...cklist-501851/

but the two seems not working.. anyone please help.. Thank you!

regards,

I did it under file client_access.pcre,
/^ip-addr/ DISCARD

could you please elaborate on how did you do it?

under postfix, main.cf,
under smtpd_client_restrictions =
add line, check_client_access pcre:/....dir/client_access.pcre,

create file client_access.pcre,
add line, /^ip-addr\./ DISCARD

it will drop any email from this ip-addr.

Thanks for the reply, if i change the ip-addr to specific email address will it work? I tried it but its not working....Im trying to block specific email address not the domain itself.. :)

Show the output of postconf -n.

You will create a sender_restriction, but I need to see your default postfix setup to advise.

tried IP address as well... still not working... :(

If you are trying to blacklist an email address, why are you trying an IP address ? Show you postconf -n and I'll show you what lines to add.

here it is...

main.cf

smtpd_sender_restriction = check_client_access pcre:/etc/postfix/client_access.pcre, permit_sasl_authenticated, permit_mynetworks,re
ject_non_fqdn_sender, reject_unknown_sender_domain,reject_unauth_pipelining,check_client_access, permit

That is not postconf -n, and some of those checks dont make sense in that given stage.

sent you the results

There is nothing confidential or compromising in your postconf -n output. It is standard, required practice on the postfix mailing list.

I'm summarizing here for others to learn as well:

Your postconf output does not match your early statements, so we'll just ignore those. This is why postconf -n output is mandatory. My comments follow below a section or line. I've added those lines in blue; you should remove things in red.

Code:

$ postconf -n

alias_database = hash:/etc/postfix/aliases

alias_maps = hash:/etc/postfix/aliases

append_dot_mydomain = no

biff = no

broken_sasl_auth_clients = yes

config_directory = /etc/postfix

content_filter = smtp-amavis:[127.0.0.1]:10024

debug_peer_list = 127.0.0.1

home_mailbox = Mailbox/

inet_interfaces = all

inet_protocols = all

mailbox_command = 

mailbox_size_limit = 0

message_size_limit = 20480000

mydestination = 



# mydestination is worth setting, even if to the default:

mydestination = $myhostname, localhost.$mydomain $mydomain



myhostname = <hostname>

mynetworks = <ip addresses>

myorigin = $mydomain

recipient_delimiter = +

relayhost = 

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)



# There's no need to announce you're on an Ubuntu platform.

smtpd_banner = $myhostname ESMTP $mail_name



smtpd_data_restrictions = reject_unauth_pipelining

# This is the correct stage for reject_unauth_pipelining.  

# It is useless in other stages; comments below. 



smtpd_recipient_restrictions = 

  reject_non_fqdn_recipient

  reject_non_fqdn_sender

# consider the cheap checks above for additional anti-spam.  

# They are safe, and effective.



  reject_unlisted_recipient

# you should reject all unknown recipients, otherwise you will be 

# inundated with hundreds of spam / day to jibberish @ yourdomain.com



  permit_sasl_authenticated,

# consider enabling and placing SASL authenticated users on the

# submission port (587) instead.  This avoids ISPs blocking port 25.

# You can also enforce mandatory TLS there, which you cannot here.



  permit_mynetworks,

  reject_unauth_destination,



  reject_unknown_sender_domain

# If the sender domain does not exist, how can you bounce the mail?

  reject_unknown_recipient_domain

# This is pretty obvious



    check_helo_access pcre:/etc/postfix/helo_checks.pcre

# This is where you can reject bogus helo/ehlo, such as those

# who claim to be localhost, your IP, your hostname, and even

# unqualified hosts.



  reject_invalid_helo_hostname

# this rejects helo/ehlo names that violate RFC standards



  check_client_access hash:/etc/postfix/client_checks

# This is where you can block by client IP or hostname

  check_sender_access hash:/etc/postfix/sender_checks

# This is where you can block by sender email address

# in both maps above, I've used hash, but you can change to pcre, or

# your choice of map.  Obviously, you have to make these map files.



  reject_unauth_pipelining,

# This is useless in this stage. It only make sense in data restrictions.



  reject_non_fqdn_recipient,

# I moved this to the top - all your recipients should have

# fully qualified names.  Even root should have fully qualified email.



  reject_rbl_client zen.spamhaus.org

# The best rbl blocking service available. It will cut down

# spam by 30-40%



  reject_rbl_client bl.spamcop.net,

# spamcop isn't really a blacklisting service, its better used for

# scoring systems, such as SpamAssassin.



  reject_rbl_client cbl.abuseat.org,

# probably will be less useful when using zen above



  check_policy_service inet:127.0.0.1:60000,

  permit



smtpd_sasl_auth_enable = yes

smtpd_sasl_local_domain = 

smtpd_sasl_security_options = noanonymous

smtpd_tls_auth_only = no

smtpd_tls_cert_file = /etc/postfix/postfix.cert

smtpd_tls_key_file = /etc/postfix/postfix.key

smtpd_tls_loglevel = 1

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

smtpd_use_tls = yes

transport_maps = hash:/etc/postfix/transport

virtual_alias_maps = mysql:/etc/postfix/mysql_alias.cf

virtual_create_maildirsize = yes

virtual_gid_maps = mysql:/etc/postfix/mysql_gid.cf

virtual_mailbox_base = /var/spool/mail/virtual

virtual_mailbox_domains = mysql:/etc/postfix/mysql_domains.cf

virtual_mailbox_limit_maps = mysql:/etc/postfix/mysql_mailbox_limit.cf

virtual_mailbox_limit_override = yes

virtual_mailbox_maps = mysql:/etc/postfix/mysql_mailbox.cf

virtual_overquota_bounce = yes

virtual_uid_maps = mysql:/etc/postfix/mysql_uid.cf

Ok, now for some client access and sender access maps:

Code:

/etc/postfix/client_checks

  # Restricts which clients this system accepts SMTP connections from.



  example.com              REJECT we don't tolerate example.com spam

  .example.com              REJECT we don't want your subdomains either

  ##.##.##.##              REJECT we don't accept your IP address

  ##.##.##.0/24            REJECT we don't accept your IP range

  ##                        REJECT we don't accept this IP block



/etc/postfix/sender_checks

  # Restricts sender addresses this system accepts in MAIL FROM commands.



  example.com              REJECT env. from addr any@example.com rejected

  .example.com            REJECT env. from addr any@sub.example.com rejected

  user@example.net        REJECT We don't want your email

So those are some ways to reject mail from client IP or hostname, or sender email or domain and/or subdomains. If you use hash maps, be sure to postmap the file after done (but not for regexp/pcre maps)

Code:

postmap sender_checks

postmap client_checks

postfix reload  # if you want immediate update, otherwise postfix will notice

Here is an example helo_checks. This time I use pcre maps:

Code:

/etc/postfix/helo_checks.pcre:

  /^mydomain\.com$/                      REJECT Hijacked my domain "example.com"



  # Somebody HELO'ing with our IP address?

  /^##\.##\.##\.##$/                      REJECT Hijacked IP "##.##.##.##"



  # Somebody HELO'ing as "localhost?"  Impossible, we're "localhost"

  /^localhost$/                          REJECT Unacceptable: "localhost"

  /^localhost\.localdomain$/              REJECT Unacceptable: "localhost.localdomain"



  # Other usual suspects

  /^friend$/                              REJECT Unacceptable: "friend"

  /^computer$/                            REJECT Unacceptable: "computer"



  !/[[:alpha:]]/                          REJECT Unacceptable: Non-alphabetic hostname

  !/\./                                  REJECT Unacceptable: Unqualified hostname

Now, if you want to see how effective those checks are, try postfix_logwatch.

Thanks so much for the great tutorial Mr. C! I really do appreciate your help....I will implement these changes and will give you feedback!

You're welcome. Hang out on the postfix list. Loads of good info there from the experts.

Quote:

Originally Posted by Mr. C. (Post 3216503)

Code:

/etc/postfix/client_checks

  # Restricts which clients this system accepts SMTP connections from.



  example.com  REJECT we don't tolerate example.com spam

Code:

/etc/postfix/helo_checks.pcre:

  /^mydomain\.com$/  REJECT Hijacked my domain "example.com"



  # Somebody HELO'ing with our IP address?

  /^##\.##\.##\.##$/  REJECT Hijacked IP "##.##.##.##"

Just some questions on this nice howto:

For the line in helo_checks.pcre should I put (in case i got goofy.de)

/^goofy\.de$/ REJECT Hijacked my domain "goofy.de" ??? Or would I leave it as is (mydomain\.de$)? I'm not shure, if mydomain here is an variable or just an example....

Another one is client_checks:

Can I just put a list of country-endings I would never expect mail from inside like this:

Code:

.ad REJECT I don't expect mail from you!

.ru REJECT I don't expect mail from you!

...

And last question in my case for main.cf:

Code:

mime_header_checks = pcre:/etc/postfix/mime-header-checks



qmgr_fudge_factor = 70



queue_minfree = 102400000



bounce_size_limit = 30720

bounce_template_file = /etc/postfix/bounce.cf



delay_warning_time = 30m

bounce_queue_lifetime = 3d

maximal_queue_lifetime = 3d



default_recipient_limit = 300

default_destination_recipient_limit = 30

default_destination_concurrency_limit = 10



smtpd_helo_required = yes

smtpd_delay_reject = yes



smtpd_error_sleep_time = 1s

smtpd_soft_error_limit = 10

smtpd_hard_error_limit = 20



smtpd_data_restrictions =

 reject_unauth_pipelining



smtpd_client_restrictions = 



smtpd_helo_restrictions = 



smtpd_sender_restrictions = 



smtpd_recipient_restrictions =

 reject_non_fqdn_recipient,

 reject_non_fqdn_sender,

 reject_unlisted_recipient,

 permit_sasl_authenticated,

 permit_mynetworks,

 reject_unauth_destination,

 reject_unknown_sender_domain,

 reject_unknown_recipient_domain,

 check_helo_access pcre:/etc/postfix/helo_checks.pcre,

 reject_invalid_helo_hostname,

 check_client_access hash:/etc/postfix/client_checks,

 check_sender_access hash:/etc/postfix/sender_checks,

 reject_rbl_client zen.spamhaus.org,

 check_policy_service inet:127.0.0.1:60000,

 permit

Is this config a working example :-) ?
Should I put in some kind of restrictions for

smtpd_client_restrictions =
smtpd_helo_restrictions =
smtpd_sender_restrictions =

too?