-   Linux - Server (
-   -   how to Blacklist specific email in postfix (

nhansense 07-15-2008 09:10 PM

how to Blacklist specific email in postfix
Hi all,

I have installed postfix in my ubuntu server and i am trying to blacklist a specific email address to a specific user or the whole domain itself. Is there a work around on this. I've searched google and i found this...

same within this forum....

but the two seems not working.. anyone please help.. Thank you!


uncle_philip 07-15-2008 10:52 PM

I did it under file client_access.pcre,
/^ip-addr/ DISCARD

nhansense 07-16-2008 01:09 AM

could you please elaborate on how did you do it?

uncle_philip 07-16-2008 01:34 AM

under postfix,,
under smtpd_client_restrictions =
add line, check_client_access pcre:/....dir/client_access.pcre,

create file client_access.pcre,
add line, /^ip-addr\./ DISCARD

it will drop any email from this ip-addr.

nhansense 07-16-2008 02:20 AM

Thanks for the reply, if i change the ip-addr to specific email address will it work? I tried it but its not working....Im trying to block specific email address not the domain itself.. :)

Mr. C. 07-16-2008 03:46 AM

Show the output of postconf -n.

You will create a sender_restriction, but I need to see your default postfix setup to advise.

nhansense 07-16-2008 04:10 AM

tried IP address as well... still not working... :(

Mr. C. 07-16-2008 04:12 AM

If you are trying to blacklist an email address, why are you trying an IP address ? Show you postconf -n and I'll show you what lines to add.

nhansense 07-16-2008 04:16 AM

here it is...

smtpd_sender_restriction = check_client_access pcre:/etc/postfix/client_access.pcre, permit_sasl_authenticated, permit_mynetworks,re
ject_non_fqdn_sender, reject_unknown_sender_domain,reject_unauth_pipelining,check_client_access, permit

Mr. C. 07-16-2008 04:17 AM

That is not postconf -n, and some of those checks dont make sense in that given stage.

nhansense 07-16-2008 04:39 AM

sent you the results

Mr. C. 07-16-2008 11:15 AM

There is nothing confidential or compromising in your postconf -n output. It is standard, required practice on the postfix mailing list.

I'm summarizing here for others to learn as well:

Your postconf output does not match your early statements, so we'll just ignore those. This is why postconf -n output is mandatory. My comments follow below a section or line. I've added those lines in blue; you should remove things in red.


$ postconf -n
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = smtp-amavis:[]:10024
debug_peer_list =
home_mailbox = Mailbox/
inet_interfaces = all
inet_protocols = all
mailbox_command =
mailbox_size_limit = 0
message_size_limit = 20480000
mydestination =

# mydestination is worth setting, even if to the default:
mydestination = $myhostname, localhost.$mydomain $mydomain

myhostname = <hostname>
mynetworks = <ip addresses>
myorigin = $mydomain
recipient_delimiter = +
relayhost =
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)

# There's no need to announce you're on an Ubuntu platform.
smtpd_banner = $myhostname ESMTP $mail_name

smtpd_data_restrictions = reject_unauth_pipelining
# This is the correct stage for reject_unauth_pipelining. 
# It is useless in other stages; comments below.

smtpd_recipient_restrictions =

# consider the cheap checks above for additional anti-spam. 
# They are safe, and effective.

# you should reject all unknown recipients, otherwise you will be
# inundated with hundreds of spam / day to jibberish @

# consider enabling and placing SASL authenticated users on the
# submission port (587) instead.  This avoids ISPs blocking port 25.
# You can also enforce mandatory TLS there, which you cannot here.


# If the sender domain does not exist, how can you bounce the mail?
# This is pretty obvious

    check_helo_access pcre:/etc/postfix/helo_checks.pcre
# This is where you can reject bogus helo/ehlo, such as those
# who claim to be localhost, your IP, your hostname, and even
# unqualified hosts.

# this rejects helo/ehlo names that violate RFC standards

  check_client_access hash:/etc/postfix/client_checks
# This is where you can block by client IP or hostname
  check_sender_access hash:/etc/postfix/sender_checks
# This is where you can block by sender email address
# in both maps above, I've used hash, but you can change to pcre, or
# your choice of map.  Obviously, you have to make these map files.

# This is useless in this stage. It only make sense in data restrictions.

# I moved this to the top - all your recipients should have
# fully qualified names.  Even root should have fully qualified email.

# The best rbl blocking service available. It will cut down
# spam by 30-40%

# spamcop isn't really a blacklisting service, its better used for
# scoring systems, such as SpamAssassin.

# probably will be less useful when using zen above

  check_policy_service inet:,

smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/postfix/postfix.cert
smtpd_tls_key_file = /etc/postfix/postfix.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
transport_maps = hash:/etc/postfix/transport
virtual_alias_maps = mysql:/etc/postfix/
virtual_create_maildirsize = yes
virtual_gid_maps = mysql:/etc/postfix/
virtual_mailbox_base = /var/spool/mail/virtual
virtual_mailbox_domains = mysql:/etc/postfix/
virtual_mailbox_limit_maps = mysql:/etc/postfix/
virtual_mailbox_limit_override = yes
virtual_mailbox_maps = mysql:/etc/postfix/
virtual_overquota_bounce = yes
virtual_uid_maps = mysql:/etc/postfix/

Ok, now for some client access and sender access maps:


  # Restricts which clients this system accepts SMTP connections from.              REJECT we don't tolerate spam              REJECT we don't want your subdomains either
  ##.##.##.##              REJECT we don't accept your IP address
  ##.##.##.0/24            REJECT we don't accept your IP range
  ##                        REJECT we don't accept this IP block

  # Restricts sender addresses this system accepts in MAIL FROM commands.              REJECT env. from addr rejected            REJECT env. from addr rejected        REJECT We don't want your email

So those are some ways to reject mail from client IP or hostname, or sender email or domain and/or subdomains. If you use hash maps, be sure to postmap the file after done (but not for regexp/pcre maps)

postmap sender_checks
postmap client_checks
postfix reload  # if you want immediate update, otherwise postfix will notice

Here is an example helo_checks. This time I use pcre maps:

  /^mydomain\.com$/                      REJECT Hijacked my domain ""

  # Somebody HELO'ing with our IP address?
  /^##\.##\.##\.##$/                      REJECT Hijacked IP "##.##.##.##"

  # Somebody HELO'ing as "localhost?"  Impossible, we're "localhost"
  /^localhost$/                          REJECT Unacceptable: "localhost"
  /^localhost\.localdomain$/              REJECT Unacceptable: "localhost.localdomain"

  # Other usual suspects
  /^friend$/                              REJECT Unacceptable: "friend"
  /^computer$/                            REJECT Unacceptable: "computer"

  !/[[:alpha:]]/                          REJECT Unacceptable: Non-alphabetic hostname
  !/\./                                  REJECT Unacceptable: Unqualified hostname

Now, if you want to see how effective those checks are, try postfix_logwatch.

nhansense 07-16-2008 11:47 PM

Thanks so much for the great tutorial Mr. C! I really do appreciate your help....I will implement these changes and will give you feedback!

Mr. C. 07-17-2008 12:48 AM

You're welcome. Hang out on the postfix list. Loads of good info there from the experts.

schmidtedv 08-19-2008 08:42 AM


Originally Posted by Mr. C. (Post 3216503)


  # Restricts which clients this system accepts SMTP connections from.  REJECT we don't tolerate spam


  /^mydomain\.com$/  REJECT Hijacked my domain ""

  # Somebody HELO'ing with our IP address?
  /^##\.##\.##\.##$/  REJECT Hijacked IP "##.##.##.##"

Just some questions on this nice howto:

For the line in helo_checks.pcre should I put (in case i got

/^goofy\.de$/ REJECT Hijacked my domain "" ??? Or would I leave it as is (mydomain\.de$)? I'm not shure, if mydomain here is an variable or just an example....

Another one is client_checks:

Can I just put a list of country-endings I would never expect mail from inside like this:


.ad REJECT I don't expect mail from you!
.ru REJECT I don't expect mail from you!


And last question in my case for


mime_header_checks = pcre:/etc/postfix/mime-header-checks

qmgr_fudge_factor = 70

queue_minfree = 102400000

bounce_size_limit = 30720
bounce_template_file = /etc/postfix/

delay_warning_time = 30m
bounce_queue_lifetime = 3d
maximal_queue_lifetime = 3d

default_recipient_limit = 300
default_destination_recipient_limit = 30
default_destination_concurrency_limit = 10

smtpd_helo_required = yes
smtpd_delay_reject = yes

smtpd_error_sleep_time = 1s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20

smtpd_data_restrictions =

smtpd_client_restrictions =

smtpd_helo_restrictions =

smtpd_sender_restrictions =

smtpd_recipient_restrictions =
 check_helo_access pcre:/etc/postfix/helo_checks.pcre,
 check_client_access hash:/etc/postfix/client_checks,
 check_sender_access hash:/etc/postfix/sender_checks,
 check_policy_service inet:,

Is this config a working example :-) ?
Should I put in some kind of restrictions for

smtpd_client_restrictions =
smtpd_helo_restrictions =
smtpd_sender_restrictions =


All times are GMT -5. The time now is 09:44 AM.