Blacklisting Single Hosts, IP Addresses, and even Networks in Postfix
You know those same hosts, providers, or whole networks, who get through your spam filter and spam your users with the same content over and over again. By building up your blacklist in Postfix, you can stop them from bothering you and your users. We will explain how local blacklists work in Postfix and how to use them with whitelists to have better control and reduce errors.
Check before you blacklist
Blocking other hosts must be a well-thought decision because blocking single hosts, IP addresses, or even whole networks will stop all delivery attempts to your mail servers.
Maybe it is a good idea to talk to your users or customers before blocking any incoming mails. For companies' emails, please speak to your CTO or even CEO to get their OK. They will value your communication and well-thought decision.
But as we think, blacklisting is a well known, tested, and valuable decision for some hosts and even networks. There are specialized hosts and even cloud providers who focus on delivering unwanted emails right into your users' inbox. If you check their reputation, you will see that you can block some of them wisely.
Blacklisting single Hosts, IP Addresses, and Networks
You can build your blacklist for Postfix through a single file. The file format is pretty simple and very similar to the whitelisting solution for Postfix. Every line is one entry. The single parts are separated by whitespaces and look like this:
root@server $ cat /etc/postfix/my_blacklist 192.168.1.1 REJECT blocked single IP by my server 192.168.2.0/24 REJECT blocked the whole network by my server mail.spamdomain.example REJECT blocked special host by my server
The three blocks are:
- IP Address, network with netmask or a domain
- The word REJECT which tells Postfix to reject the match
- A phrase you can define, which Postfix will send on rejection.
We prefer to reduce any hints for blacklisted hosts and always use the same message: blocked for a good reason.
After building your blacklist, you must convert it to a format Postfix can use directly by running the postmap command:
root@server $ postmap /etc/postfix/my_blacklist
Postfix 2.x should generate a corresponding /etc/postfix/my_blacklist.db file. If something is missing, wrong, or has duplicate entries, postmap will show you warnings.
Add your blacklist to Postfix Configuration
As we have generated our blacklist for Postfix, we need to add it in main.cf. First, look for something like:
... smtpd_recipient_restrictions = reject_invalid_hostname, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client ix.dnsbl.manitu.net, permit ...
We use special cidr_table for lookups. The lookup tables are specified in CIDR (Classless Inter-Domain Routing) format. It will compare each input against a list of defined patterns in this table. When there is a match, the corresponding result is returned, and the search is terminated.
By adding check_client_access cidr:/etc/postfix/my_blacklist to your configuration before any permit or other DNS based blacklist entry:
... smtpd_recipient_restrictions = reject_invalid_hostname, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_client_access cidr:/etc/postfix/my_blacklist, reject_rbl_client ix.dnsbl.manitu.net, permit ...
Hint: You can add a whitelist before your blacklist. This will stop accidently adding valueable hosts.
The last step is to restart Postfix to reflect the changes.
root@server $ service postfix restart
After running this setup for some time, check your mail.log for matches. You may find something like:
root@server $ grep "192.168.1.1" /var/log/mail.log Dec 29 10:40:04 web2 postfix/smtpd: NOQUEUE: reject: RCPT from somehost.local[192.168.1.1]: 554 5.7.1 Service unavailable; Client host [192.168.1.1] blocked single IP by my server ; from=<firstname.lastname@example.org> to=<email@example.com> proto=ESMTP helo=<somehost.local>
Using Blacklisting and Whitelisting in combination
You can use blacklisting and whitelisting in combination to exclude single hosts or networks from a blacklisted network.
Consider you have a spammy network 192.168.1.0/24, but there is one shiny host, which is valuable to your email users: 192.168.1.23.
We described the whitelisting setup here: Whitelisting Hosts, IP Addresses, and even Networks in Postfix. Follow this tutorial. Then add blacklisting as we described here.
The most important thing now is to add whitelisting before blacklisting to whitelist the valuable host 192.168.1.23 before you blacklist the whole network 192.168.1.0/24.
Your Postfix main.cf should look something like this:
... smtpd_recipient_restrictions = reject_invalid_hostname, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_client_access hash:/etc/postfix/rbl_allow, check_client_access cidr:/etc/postfix/my_blacklist, reject_rbl_client ix.dnsbl.manitu.net, permit ...
Your whitelist would look something like this:
root@server $ cat /etc/postfix/rbl_allow 192.168.1.23 OK
Your whitelist would look something like this:
192.168.1.0/24 REJECT whole network blocked by my server
Now Postfix would check the whitelist and ignore any following blacklist.
Blacklisting can be used as an essential part of your email setup to block single hosts, IP addresses, and even networks to block spammy or unwanted email traffic. This setup can reduce the server load and stop special networks from delivering you any message.
Combining blacklisting and whitelisting in your Postfix setup can block whole networks and whitelist single hosts or part of the blacklisted network to get emails from valuable hosts.