Distroname and release: Debian Squeeze

Blacklist & Whitelist with Postfix

In this little howto, I will describe, howto configure whitelist and / or blacklist to your postfix installation.

There are two different parameters we can set in postfix, which acts differently.

check_client_access
Blocks by client IP, Client IP Range or Hostname

check_sender_access
Block by sender e-mail address (In the FROM field)

#block by client IP, IP range, hostname
  check_client_access hash:/etc/postfix/client_checks

#block by sender e-mail address. (In the FROM field)
  check_sender_access hash:/etc/postfix/sender_checks

It is important that check_client_access and check_sender_access are defined as some of the first in smtpd_recipient_restrictions.
We do this, so the e-mail is not caught by some of the other filters we have set.

Here is an sample output of the main.cf file.
/etc/postfix/main.cf
smtpd_recipient_restrictions =
   check_client_access hash:/etc/postfix/client_checks,
   check_sender_access hash:/etc/postfix/sender_checks,
   etc....
   etc....
We will define the whitelist or blacklist with and OK or REJECT, followed by an optional answer text.
OK is allowed
REJECT is block

/etc/postfix/client_checks
# Restricts which clients this system accepts SMTP connections from.

example.com               REJECT No spammers
.example.com              REJECT No spammers, from your subdomain
123.456.789.123           REJECT Your IP is spammer
123.456.789.0/24          REJECT Your IP range is spammer
321.987.654.321           OK
example1.com              OK

/etc/postfix/sender_checks
# Restricts sender addresses this system accepts in MAIL FROM commands.

example.com              REJECT env. from addr any@example.com rejected
.example.com             REJECT env. from addr any@sub.example.com rejected
user@example.com         REJECT We don't want your email
example2.com             OK
When a change have been made to any of the files, remember to run postmap, for postfix lookup tables updates, and reload postfix.
#postmap /etc/postfix/client_checks
#postmap /etc/postfix/sender_checks
#/etc/init.d/postfix reload
That was it, quite simple.
Do not trust the authors words! POC, tests and experience is key

Copyright LinuxLasse.net 2009 - 2024 All Rights Reserved.

Valid HTML 4.01 Strict Valid CSS!