If you are administrating a mail server and use blacklists to block spam, sometimes you may have a problem with certain mail servers. This happens because a specific mail server was blacklisted. You can see that one server was blacklisted if you trace your maillog:
reject: RCPT from unknown[196.206.244.208]: 554 5.7.1 Service unavailable; Client host [196.206.244.208] blocked using bl.spamcop.net; Blocked - see http://www.spamcop.net/bl.shtml?196.206.244.208; from=<laya@mymail.com> to=<laya@mymail.com> proto=SMTP helo=<aimp.org> |
In this example, the mail server 196.206.244.208 is blacklisted and therefore blocked (also in this case, message was spam and we won’t whitelist 196.206.244.208).
To whitelist servers, we need one file (for example /etc/postfix/rbl_whitelist) where we will list all IP addresses or host names marked for whitelist.
# nano /etc/postfix/rbl_whitelist |
Every line should contain only one IP address or one hostname in next format
196.196.196.196 OK mail.mymail.com OK |
Save file and then run:
# postmap /etc/postfix/rbl_whitelist |
After you created whitelist in postfix format, open /etc/postfix/main.cf and search for the smtpd_recipient_restrictions parameter. Add
check_client_access hash:/etc/postfix/rbl_whitelist
after reject_unauth_destination, but before the first blacklist.
Remember BEFORE the first blacklist or this won’t work.
smtpd_recipient_restrictions = reject_invalid_hostname,
reject_unauth_pipelining,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
check_client_access hash:/etc/postfix/rbl_whitelist,
reject_rbl_client dsn.rfc-ignorant.org,
reject_rbl_client dul.dnsbl.sorbs.net,
reject_rbl_client sbl-xbl.spamhaus.org,
reject_rbl_client bl.spamcop.net,
permit |
The lines shown above is only example. Please check all those blacklist because some of them are not active any more….
And finally reload postfix with
# service postfix restart |
or
# /etc/init.d/postfix restart |
Edit
Remember that smtpd_recipient_restrictions section mentioned above is just for reference. Please double check this blacklists before you use them. (Some of them doesn’t work any more). Especially if you find this post 3 years after I wrote it…
> reject_rbl_client list.dsbl.org,
This list is dead
___
reject_rbl_client multi.uribl.com,
URIBL.com only lists domains in BODY of messages. Its not supposed to be used at SMTP level. You may be blocked if you send excessive/useless queries.
AxB
Thanks
Corrected
Are wildcards allowed at all in this format?
e.g. *.spam.com to catch several diff hosts within that domain?
Thanks
Hi
You can blacklist domains, IP addresses, IP blocks or hosts via regexp.
for example,
# IP
/^11\.11\.11\.11$/ REJECT blacklisted
# IP block
/^11\.11\.11/ REJECT blacklisted
# domain
/^example\.com$/ REJECT blacklisted
# everything in a domain
/example\.com$/ REJECT blacklisted
# exact hosts
/^somehost\.example\.com$/ REJECT blacklisted
But much better option is to integrate additional protection (postgrey / amavisd-new / spamassassin / clamav)
Perfect – I had my regex stuff wrong – fixed up my whitelist.