Using DNS whitelists in Postfix
Update 7/21/2011: I’ve tweaked my main.cf config more recently that provided better results. I will have a follow-up post with the changes and additions.
In an earlier post several years back, I wrote about using DNS blacklists (DNSBLs) in postfix to block unwanted spam from hitting my inbox, and in the last week I tweaked it a bit to include DNS whitelists (DNSWLs). I was discovering that some of the DNSBLs were blocking a small portion of legitimate email from coming through (eg. blocking entire IP ranges for webmail providers).
You need Postfix 2.8 or higher (I was on 2.3.3 so I had to download and compile the latest, 2.8.3), which has a new configuration parameter which added support for querying a DNSWL like a DNSBL:
The relevant portion of my updated Postfix main.cf is below (note permit_dnswl_client is inserted before any of the reject_rbl* parameters). The DNSWL queries are processed first before the DNSBLs, so it should allow legitimate IPs through and reduce the amount of false positives vs just using the DNSBLs alone.
smtpd_recipient_restrictions = permit_mynetworks, reject_invalid_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_destination, permit_dnswl_client list.dnswl.org, reject_rbl_client b.barracudacentral.org, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spameatingmonkey.net, reject_rbl_client bl.spamcop.net, reject_rbl_client hostkarma.junkemailfilter.com=127.0.0.2, reject_rbl_client dnsbl.njabl.org, reject_rbl_client bl.tiopan.com, reject_rbl_client spamsources.fabel.dk, reject_rbl_client truncate.gbudb.net, reject_rbl_client ubl.unsubscore.com, reject_rbl_client aspews.ext.sorbs.net, reject_rbl_client dnsbl.sorbs.net, reject_rbl_client backscatter.spameatingmonkey.net, reject_rbl_client bl.spameatingmonkey.net, reject_rhsbl_sender fresh15.spameatingmonkey.net, reject_rhsbl_client fresh15.spameatingmonkey.net, reject_rhsbl_sender uribl.spameatingmonkey.net, reject_rhsbl_client uribl.spameatingmonkey.net, reject_rhsbl_sender urired.spameatingmonkey.net, reject_rhsbl_client urired.spameatingmonkey.net, reject_rbl_client dnsbl.inps.de, reject_rbl_client DDNSBL.InternetDefenseSystems.com, permit
After watching the logs for the last couple days, this setup seems to work quite well…only 1 piece of spam slipped through, and more importantly, no false positives! I should also note that I stopped using spamassassin a while back and just these settings in postfix seems to block almost all legitimate spam coming into my server while not generating false positives.
BTW, if you want to tail your maillog from the command line in realtime and see the rejects in a more readable format, this short one liner will work:
$ tail -f /var/log/mail.log | sed -r -n 's/^(.*) \S+ postfix\/.* blocked using ([^;]+).*; from=<(\S+)> to=<(\S+)> proto=.* helo=.*>$/\1 - \2 - \3 - \4/p'
it will output in the format TIMESTAMP – DNSBL – FROM ADDRESS – TO ADDRESS