Postfix postscreen DNSBL setup

The postscreen_dnsbl_sites parameter can be used to check SMTP client’s IP address against public blacklists (DNSBL).

1. Edit /etc/postfix/main.cf. Adjust the dnsbl sites and thread based on your use case.

postscreen_access_list = permit_mynetworks cidr:/etc/postfix/postscreen_access.cidrpostscreen_dnsbl_sites = zen.spamhaus.org,bl.mailspike.net,psbl.surriel.compostscreen_dnsbl_threshold = 1postscreen_dnsbl_action = enforcepostscreen_greet_action = enforce/etc/postfix/postscreen_access.cidr:  # Rules are evaluated in the order as specified.  # Denylist 192.168.* except 192.168.0.1.  192.168.0.1          permit  192.168.0.0/16       reject 

2. Edit /etc/postfix/master.cf.

#smtp      inet  n       -       y       -       -       smtpdsmtp      inet  n       -       y       -       1       postscreensmtpd     pass  -       -       y       -       -       smtpddnsblog   unix  -       -       y       -       0       dnsblogtlsproxy  unix  -       -       y       -       0       tlsproxy

3. Restart postfix service.

sudo systemctl restart postfix

4. Monitor postfix log with postscreen.