Postfix postscreen DNSBL setup

The postscreen_dnsbl_sites parameter can be used to check SMTP client’s IP address against public blacklists (DNSBL).

1. Edit /etc/postfix/main.cf. Adjust the dnsbl sites and thread based on your use case.

postscreen_access_list = permit_mynetworks cidr:/etc/postfix/postscreen_access.cidr
postscreen_dnsbl_sites = zen.spamhaus.org,bl.mailspike.net,psbl.surriel.com
postscreen_dnsbl_threshold = 1
postscreen_dnsbl_action = enforce
postscreen_greet_action = enforce

/etc/postfix/postscreen_access.cidr:
  # Rules are evaluated in the order as specified.
  # Denylist 192.168.* except 192.168.0.1.
  192.168.0.1          permit
  192.168.0.0/16       reject

2. Edit /etc/postfix/master.cf.

#smtp      inet  n       -       y       -       -       smtpd
smtp      inet  n       -       y       -       1       postscreen
smtpd     pass  -       -       y       -       -       smtpd
dnsblog   unix  -       -       y       -       0       dnsblog
tlsproxy  unix  -       -       y       -       0       tlsproxy

3. Restart postfix service.

sudo systemctl restart postfix

4. Monitor postfix log with postscreen.



Comments