Block Emails on Postfix

carlosinfl · 06-18-2008, 02:18 PM

Can anyone explain how I can place a filter or block list of email accounts I do not wish to be able to communicate with my email server? For example, I do not want anyone to be able to send and or receive email from *@aol.com using my MTA. Is there a way in Postfix I can block all SMTP traffic (in/out) to any or all AOL email accounts?

trickykid · 06-18-2008, 02:32 PM

You should be able to do this with the smtpd_recipient_restrictions in the main.cf configuration.

Might end up looking something like this in your conf:

Code:

smtpd_recipient_restrictions = permit_mynetworks, check_sender_access regexp:/etc/postfix/unwanted_sender, reject_unauth_destination

Then you just put the domains in the unwanted_sender file. ?

Upon further readings though, this might only reject outgoing email. For incoming, I'd just use SpamAssassin to block unwanted emails.

carlosinfl · 06-18-2008, 02:37 PM

So w/o SA, there is no way to filter emails from any specific domain? I am testing this now now on my server to see if I can receive from Gmail and just not send and or both...

Right now I have the following in main.cf

Code:

smtpd_recipient_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_unauth_destination,
        check_client_access dbm:/etc/postfix/client_blacklist,
        check_recipient_access hash:/etc/postfix/access,
        check_sender_access hash:/etc/postfix/access,
        check_policy_service inet:127.0.0.1:12525,
        reject_non_fqdn_recipient,
        reject_non_fqdn_sender,
        reject_unknown_sender_domain,
        reject_non_fqdn_hostname,
        reject_invalid_hostname,
        reject_rbl_client bl.spamcop.net,
        reject_rbl_client zen.spamhaus.org,
        reject_rbl_client list.dsbl.org,
        reject_rbl_client multihop.dsbl.org,
        reject_rbl_client unconfirmed.dsbl.org,
        reject_rbl_client zombie.dnsbl.sorbs.net,
        reject_rbl_client dnsbl.njabl.org,
        reject_rbl_client spam.dnsrbl.org,
        reject_rbl_client dul.dnsbl.sorbs.net,
        reject_rbl_client dun.dnsrbl.net,
        reject_rbl_client vox.schpider.com,
        reject_rhsbl_sender dsn.rfc-ignorant.org,
        permit

Do you know exactly where I should place this and also if I need to add it the same in "smtpd_sender_restrictions" in order for it to work both ways?

Mr. C. · 06-18-2008, 02:43 PM

For inbound email, add a check_sender_access to your smtpd_recipient_restrictions to create a blacklists for senders from domains or addresses you wish to block:

Code:

main.cf:
    smtpd_recipient_restrictions =
        ...
        check_sender_access hash:/etc/postfix/sender_checks
        permit_mynetworks
        reject_unauth_destination
        ...
        permit

sender_checks:
    #
    # WARNING - DO NOT PUT OKs IN HERE!! Creates Open Relay
    #
    aol\.com                     REJECT  We don't allow mail from AOL
    .aol\.com                    REJECT  We don't allow mail from AOL

Chose the map type and syntax that suits you (hash, regexp, pcre, etc.)

For outbound email, you can create an AOL-specific transport that sends to error:

Code:

main.cf:
   transport_maps = hash:/etc/postfix/transport

transport:
    aol.com     error:We do not allow sending to AOL

carlosinfl · 06-18-2008, 03:07 PM

Mr. C - I have done the following:

Code:

smtpd_recipient_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_unauth_destination,
        check_recipient_access hash:/etc/postfix/access,
        check_sender_access hash:/etc/postfix/access,
        check_policy_service inet:127.0.0.1:12525,
        check_sender_access hash:/etc/postfix/sender_checks
        reject_non_fqdn_recipient,
        reject_non_fqdn_sender,
        reject_unknown_sender_domain,
        reject_non_fqdn_hostname,
        reject_invalid_hostname,
        reject_rbl_client bl.spamcop.net,
        reject_rbl_client zen.spamhaus.org,
        reject_rbl_client list.dsbl.org,
        reject_rbl_client multihop.dsbl.org,
        reject_rbl_client unconfirmed.dsbl.org,
        reject_rbl_client zombie.dnsbl.sorbs.net,
        reject_rbl_client dnsbl.njabl.org,
        reject_rbl_client spam.dnsrbl.org,
        reject_rbl_client dul.dnsbl.sorbs.net,
        reject_rbl_client dun.dnsrbl.net,
        reject_rbl_client vox.schpider.com,
        reject_rhsbl_sender dsn.rfc-ignorant.org,
        permit

Now my question is when I create the file /etc/postfix/sender_checks, what do I need to do to make this a hash file? I don't think I need to postmap it, correct? I am still confused about the different types of files.

Thanks for any assistance!

Mr. C. · 06-18-2008, 03:16 PM

Since you have the file listed as a hash file:

Code:

check_sender_access hash:/etc/postfix/sender_checks

you must postmap the file.

Postmap translates ASCII text files into a database format. This is required for hash, db, and dbm files, and any other file which is a "database" format. If you specify the files as regexp or pcre, you don't need to postmap, because the files are not database files, but are read directly.

If you are unsure of a table type, do a man on the table type, as in:

Code:

man cidr_table
man pcre_table
man regexp_table

carlosinfl · 06-18-2008, 04:44 PM

OK - Thanks for clearing that up for me. I was not sure when to use Postmap and when it is not needed...

So if I have a file called foo and foo.db and in my main.cf it is being called as regexp or pcre - then I don't need foo.db, correct? Is there a benefit to using one of the mentioned above? Seems like regexp would be preferred so you don't have to postmap anything when you make a change, right?

Mr. C. · 06-18-2008, 04:50 PM

Right, with pcre/regexp, you just use the text file - no .db file required or used.

The choice of file types you use depends on what you are trying to do, and concerns about performance. Pcre is faster than regexp, so use pcre if you have pcre built in. Use hash's for longer lists, since db lookups are faster than long pcre or regexp lists. If you only have a few entires, the table choice doesn't matter much. Pick one that suits your needs.

carlosinfl · 06-19-2008, 08:51 AM

Quote:

Originally Posted by Mr. C.

For outbound email, you can create an AOL-specific transport that sends to error:

Code:

main.cf:
   transport_maps = hash:/etc/postfix/transport

transport:
    aol.com     error:We do not allow sending to AOL

From above, does it matter where in the main.cf file I place the following?

Code:

transport_maps = hash:/etc/postfix/transport

I don't know if it matters but I sent it to the very last line on my main.cf file. Is that incorrect and does that need to go in a specific section like smtpd_sender_restrictions?

Mr. C. · 06-19-2008, 11:50 AM

No, it does not matter where in the file you place the settings.