Howto Block Entire TLDs in Postfix

Reading time: 4 minutes

alt text

Blocking or blacklisting entire Top Level Domains (TLDs) in Postfix mail server may have a big impact to reduce spam, phishing, and other unwanted emails. Dependent on the use case of your systems it is a valid and effective solution. The only drawback is, to monitor your email traffic and check, whether valid emails from blocked TLDs are sent to your systems. Blocking a whole TLD is mostly a temporary thing, as the bad guys move on if the domains on a specific TLD are not usable for their cases.

This tutorial is focuses on senders (users/clients) using this TLDs. If you want to block mail servers using uncommon TLDs for their hostname in setup, this is not the right solution. Check this tutorial: Howto block mailservers using uncommon TLDs in hostname through Postfix

Setup using PCRE and Regexp Table Format

The setup on a single Postfix mail server is pretty straightforward and can be updated, extended, or removed at any time without big changes.

First of all, create a file called something like /etc/postfix/reject_domains and add the relevant Top Level Domain (TLD) like .xyz, the word REJECT, and the message like “We reject all mails from .xyz domains”. Dependent on your preferences you can use Perl Compatible Regular Expressions (PCRE) Format or built-in Regexp. I’ll explain you both.

PCRE Table Format Setup

Dependent on your Linux distribution you may need to install an additional package called something like postfix-pcre as Perl Compatible Regular Expressions (PCRE) support is optional in Postfix. As the regexp format is pretty similar, you can skip this and use the second one.

You can use PCRE format to define regular expressions for TLDs. Your /etc/postfix/reject_domains may look like this:

/\.date$/ REJECT We reject all mails from .date domains
/\.pro$/  REJECT We reject all mails from .pro domains
/\.top$/  REJECT We reject all mails from .top domains
/\.wtf$/  REJECT We reject all mails from .wtf domains
/\.xyz$/  REJECT We reject all mails from .xyz domains

Now edit your Postfix main configuration /etc/postfix/main.cf and add a rule to your smtpd_sender_restrictions:

smtpd_sender_restrictions =
check_sender_access pcre:/etc/postfix/reject_domains

pcre: parameter tells Postfix, that the regular expression in the file is in Perl PCRE Table.

As the last step you have to reload/restart Postfix to enable this setup:

# using systemd
service postfix reload
# or just postfix
postfix reload

Regexp Table Format Setup

Compared to PCRE, Regexp Tables are built-in Postfix and enabled by default. That’s why I prefer using Regexp instead of PCRE and I’m used to programming languages using this format for regular expressions.

You define one regular expression for every TLD per line. Your /etc/postfix/reject_domains may look like this:

/.*\.date$/ REJECT We reject all mails from .date domains
/.*\.pro$/  REJECT We reject all mails from .pro domains
/.*\.top$/  REJECT We reject all mails from .top domains
/.*\.live$/ REJECT We reject all mails from .live domains
/.*\.wtf$/  REJECT We reject all mails from .wtf domains
/.*\.xyz$/  REJECT We reject all mails from .xyz domains

Now edit your Postfix main configuration /etc/postfix/main.cf and add a rule to your smtpd_sender_restrictions:

smtpd_sender_restrictions =
check_sender_access regexp:/etc/postfix/reject_domains

regexp: parameter tells Postfix, that the regular expression in the file is in Regexp Table format.

As the last step you have to reload/restart Postfix to enable this setup:

# using systemd
service postfix reload
# or just postfix
postfix reload

To block or not to block a whole TLD

Dependent on the use case of your server, it may be appropriate to block TLDs for a short or even longer period. Take a look at your logs, maybe a monitoring system, which can analyze and display such information.

By using MailMum and this way analyzing email traffic to the systems I’m responsible for, I could get the same insights as Brian Krebs. Also, you can check Spamhaus World’s Most Abused TLDs to get a feeling, of what to look for.

Providing separated (virtual) servers for single customers which a specific user base, you can take advantage of this simple and pretty effective way to block senders using this technique.

Summary

Dependent on your mail systems setup, you can use TLD blocking by rejecting specific TLDs or Domains to reject the traffic. It may be a valid solution for one use case and a wrong one for big providers hosting thousands of different customers with their different use cases on a system or even a cluster.


Newsletter


See Also


Tags