dnsbl.net.au Helping you block invalid E-mail

HOME LOOKUP REMOVE SUPPORT GRAPHS REJECTIONS STATUS FAQ TESTING FEEDBACK TYPES LINKS
REGISTER SUBSCRIPTION MEMBERS FIREWALL | pdl orid ahbl wpbl ucepn spews probes spamsites dsbl sorbs |
| t1 | rddn ahrh orrh jwrh | rmst ricn rdts | osrs omrs osps ohps owps owfs | |

Postfix Setup

Postfix has many anti-UCE features as well as many different ways of setting up those features. This page describes one way you can get postfix querying the dnsbl.net.au Blackhole list.

Using dnsbl.net.au to reject clients (remote server)

First we need to tell the smtpd program that we have a set of restrictions on what clients (remote servers' IP address or hostname) we will accept email for. This is done using the configuration line smtpd_client_restrictions. The following is put into the postfix configuration file main.cf.

Example:
smtpd_client_restrictions = permit_mynetworks, check_client_access hash:/etc/postfix/access_clientip, reject_rbl_client t1.dnsbl.net.au

Restrictions
permit_mynetworks
Permit your local networks to bypass all checks. Addresses are found in setting $mynetworks.
check_client_access hash:/etc/postfix/access_clientip
Lookup the access database for a match on hostname or IP address, see below for details. The filename is not important.
reject_rbl_client t1.dnsbl.net.au
Lookup the IP address in the Blackhole List t1.dnsbl.net.au

The access file solves two problems with using any BL. The first is that you probably have a set of known "good" mailservers that you always want to receive email from and it is a waste of resources to continuously check this list. The second problem is you may have a list of servers you know are always "bad" and to reduce the load on the dnsbl.net.au servers you can just statically put them in a local list. Servers that make my static list are ones that continuously hammer my mail server with spam, usually from places like China and Russia.

The format of the access file is described in the access database documentation on the Postfix site, but is usually. 

192.168.1.2	OK
10.1.2.3 REJECT

This assumes that 192.168.1.2 is a known "good" server and 10.1.2.3 is a known "really bad" server.

Rejecting sender's address

Next you may want to reject email based upon what the sender's domain is. This way if you get too much spam from joe@example.com you can reject all email from example.com. Rejecting email this way uses the smtpd_sender_restrictions configuration parameter.

Example:
smtpd_sender_restrictions = permit_mynetworks, check_sender_access hash:/etc/postfix/access_sender, reject_rhsbl_sender rddb.dnsbl.net.au, reject_rhsbl_sender endn.dnsbl.net.au, permit
Restrictions
permit_mynetworks
Permit my local networks, defined by the $mynetworks value.
check_sender_access hash:/etc/postfix/access_sender
Check sender domain against an access database, see below for details. The filename is not important.
reject_rhsbl_sender rddb.dnsbl.net.au
reject_rhsbl_sender endn.dnsbl.net.au
Check the senders domain against the two blackhole lists.
permit
As the name implies, pass this check if noting else matches.

Like the client restrictions, there is an access database to bypass lookups. However in the case of a sender domain you can easily fake what email address you are sending email from, which means putting in known good email domains is generally a bad idea. I only place known bad domains in this access list.

Some people put additional restrictions of reject_non_fqdn_sender and reject_unknown_sender_domain which reject email that is from a badly formed domain (eg user@mycomputer) or that is from a domain with no A or MX record. If you want these extra restrictions, put them after the access file but before the reject_rhsbl_sender lines.

Note that the reject_unknown_sender_domain command returns 450 error code to the sending server which means, roughly, "try again later" so all this means is the spamserver will keep hammering your mail server until the email expires, which can be a few days.

dnsbl.net.au abuse [at] dnsbl [dot] net [dot] au