Using DNS whitelists in Postfix
Update 7/21/2011: I’ve tweaked my main.cf config more recently that provided better results. I will have a follow-up post with the changes and additions.
In an earlier post several years back, I wrote about using DNS blacklists (DNSBLs) in postfix to block unwanted spam from hitting my inbox, and in the last week I tweaked it a bit to include DNS whitelists (DNSWLs). I was discovering that some of the DNSBLs were blocking a small portion of legitimate email from coming through (eg. blocking entire IP ranges for webmail providers).
You need Postfix 2.8 or higher (I was on 2.3.3 so I had to download and compile the latest, 2.8.3), which has a new configuration parameter which added support for querying a DNSWL like a DNSBL:
permit_dnswl_client dnswl_domain=d.d.d.d
The relevant portion of my updated Postfix main.cf is below (note permit_dnswl_client is inserted before any of the reject_rbl* parameters). The DNSWL queries are processed first before the DNSBLs, so it should allow legitimate IPs through and reduce the amount of false positives vs just using the DNSBLs alone.
smtpd_recipient_restrictions = permit_mynetworks, reject_invalid_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_destination, permit_dnswl_client list.dnswl.org, reject_rbl_client b.barracudacentral.org, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spameatingmonkey.net, reject_rbl_client bl.spamcop.net, reject_rbl_client hostkarma.junkemailfilter.com=127.0.0.2, reject_rbl_client dnsbl.njabl.org, reject_rbl_client bl.tiopan.com, reject_rbl_client spamsources.fabel.dk, reject_rbl_client truncate.gbudb.net, reject_rbl_client ubl.unsubscore.com, reject_rbl_client aspews.ext.sorbs.net, reject_rbl_client dnsbl.sorbs.net, reject_rbl_client backscatter.spameatingmonkey.net, reject_rbl_client bl.spameatingmonkey.net, reject_rhsbl_sender fresh15.spameatingmonkey.net, reject_rhsbl_client fresh15.spameatingmonkey.net, reject_rhsbl_sender uribl.spameatingmonkey.net, reject_rhsbl_client uribl.spameatingmonkey.net, reject_rhsbl_sender urired.spameatingmonkey.net, reject_rhsbl_client urired.spameatingmonkey.net, reject_rbl_client dnsbl.inps.de, reject_rbl_client DDNSBL.InternetDefenseSystems.com, permit
After watching the logs for the last couple days, this setup seems to work quite well…only 1 piece of spam slipped through, and more importantly, no false positives! I should also note that I stopped using spamassassin a while back and just these settings in postfix seems to block almost all legitimate spam coming into my server while not generating false positives.
BTW, if you want to tail your maillog from the command line in realtime and see the rejects in a more readable format, this short one liner will work:
$ tail -f /var/log/mail.log | sed -r -n 's/^(.*) \S+ postfix\/.* blocked using ([^;]+).*; from=<(\S+)> to=<(\S+)> proto=.* helo=.*>$/\1 - \2 - \3 - \4/p'
it will output in the format TIMESTAMP – DNSBL – FROM ADDRESS – TO ADDRESS
can you help me this command line is very good but how put a date time from log
date time DNSBL – FROM ADDRESS – TO ADDRESS
This should work: tail -f /var/log/mail.log | sed -r -n ‘s/^(.*) \S+ postfix\/.* blocked using ([^;]+).*; from=< (\S+)> to=< (\S+)> proto=.* helo=.*>$/\1 – \2 – \3 – \4/p’
thank`s for your fast help but this don`t work for me
dnsbl.sorbs.net – pGtXI286@amy.com – mar@xx.xx
i need like this
TIME – dnsbl.sorbs.net – pGtXI286@amy.com – mar@xx.xx
your postfix log format must be different than mine. if you post a few lines from your mail.log on here or link to it on pastbin.com then I can see what the regex needs to change to capture the timestamp correctly