Postfix/Blacklisting

From Gentoo Wiki
Jump to: navigation, search

Blacklisting is the process of banning specific IP addresses or address ranges from sending email to your server entirely.

Background

In the email server administration world, blacklisting generally refers to using a Realtime Black(hole) List (usually abbreviated to RBL) service operating over the DNS protocol.

There are various RBL services available. A good overview is over at Wikipedia's list of DNS blacklists. Another fairly useful resource is DNSBL.info which allows you to check if your server's IP address block has been listed in any of the major RBLs.

Basically, when a computer asks your system to receive some mail, your system sends a DNS query to the RBL provider(s) including the identity of that sending system. If the system is blacklisted, the response will indicate so, and the mail will be rejected.

Note
By using an RBL you are basically trusting them to audit your inbound mail for you. This is a very significant type of trust to extend to a third party. If the RBL goes down, all of your inbound mail may get rejected! (Example) Therefore, you are probably better off picking a smaller number of more widely used RBLs than simply enabling all of them! In addition, you are broadcasting the identities of connecting systems in an unencrypted protocol across the internet, which is probably collected by NSA and similar organizations in order to efficiently monitor encrypted email. You may wish to obfuscate the DNS query path of your mailserver or think very carefully before enabling address-level query types (see note below).

Setup

To enable them, add reject_rbl_client entries to your main.cf file's smtpd_recipient_restriction directive based upon the services you have selected, as follows.

FILE /etc/postfix/main.cfUse blacklists
smtpd_recipient_restrictions =
   permit_sasl_authenticated,
   reject_invalid_hostname,
   reject_non_fqdn_hostname,
   reject_non_fqdn_sender,
   reject_non_fqdn_recipient,
   reject_unknown_sender_domain,
   reject_unknown_recipient_domain,
   permit_mynetworks,
   reject_rbl_client sbl.spamhaus.org,
   reject_rbl_client cbl.abuseat.org,
   reject_rbl_client dul.dnsbl.sorbs.net,
   reject_rbl_client bl.spamcop.net, 
   permit
Note
There is another directive, reject_rhsbl_sender which apparently operates at the sender email address degree of granularity rather than the server level. RBL providers of this type apparently include dsn.rfc-ignorant.org. However, using such services may be a serious privacy violation (see note above).

Deployment

Finally, tell postfix to reload its configuration for the changes to take effect.

root #/etc/init.d/postfix reload
Note
By using reload instead of restart, we are advised of any syntax errors we may have accidentally introduced and the daemon stays running under its current configuration instead of going down, which is what would happen if we used restart with a syntax error in main.cf!