Skip to content

Instantly share code, notes, and snippets.

@farrokhi

farrokhi/postfix-rbl.md

Last active July 22, 2021 04:07
Show Gist options
  • Star 12 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save farrokhi/e27dfd5a09920f042664 to your computer and use it in GitHub Desktop.
Save farrokhi/e27dfd5a09920f042664 to your computer and use it in GitHub Desktop.
Download ZIP
Current Effective RBL Setup for Postfix
Raw
postfix-rbl.md

Current Effective RBL Setup for Postfix

main.cf:

    smtpd_recipient_restrictions =
      permit_mynetworks,
      permit_sasl_authenticated,
      reject_non_fqdn_hostname,
      reject_non_fqdn_sender,
      reject_non_fqdn_recipient,
      reject_unauth_destination,
      reject_unauth_pipelining,
      reject_invalid_hostname,
      reject_rbl_client bl.spamcop.net,
      reject_rbl_client cbl.abuseat.org,
      reject_rbl_client dnsbl.sorbs.net,
      reject_rbl_client zen.spamhaus.org
@zerefdev
Copy link

zerefdev commented May 2, 2018
edited

@farrokhi
zen.spamhaus.org is not working
May 2 17:47:14 XXXXX postfix/smtpd: warning: 173.216.85.209.zen.spamhaus.org: RBL lookup error: Host or domain name not found. Name service error for name=173.216.85.209.zen.spamhaus.org type=A: Host not found, try again May 2 17:54:25 XXXX postfix/smtpd: warning: 161.194.254.51.zen.spamhaus.org: RBL lookup error: Host or domain name not found. Name service error for name=161.194.254.51.zen.spamhaus.org type=A: Host not found, try again

dnsbl.sorbs.net rejects mails coming from Gmail servers.
I used warn_if_reject to find out who was blocking gmail, and:

May 2 17:47:14 XXXX postfix/smtpd[]: NOQUEUE: reject_warning: RCPT from mail-qt0-f173.google.com[209.85.216.173]: 554 5.7.1 Service unavailable; Client host [209.85.216.173] blocked using dnsbl.sorbs.net; Currently Sending Spam See: http://www.sorbs.net/lookup.shtml?209.85.216.173; from=<xxxxxxxxxxxxx@gmail.com> to=<contact@xxxxxxxxxxxx.com> proto=ESMTP helo=<mail-qt0-f173.google.com> May 2 20:04:57 XXXX postfix/smtpd[]: NOQUEUE: reject_warning: RCPT from mail-qt0-f179.google.com[209.85.216.179]: 554 5.7.1 Service unavailable; Client host [209.85.216.179] blocked using dnsbl.sorbs.net; Currently Sending Spam See: http://www.sorbs.net/lookup.shtml?209.85.216.179; from=<xxxxxxx.x@gmail.com> to=<contact@xxxxxxxxxx.com> proto=ESMTP helo=<mail-qt0-f179.google.com> May 2 20:16:20 XXXX postfix/smtpd[]: NOQUEUE: reject: RCPT from mail-it0-f44.google.com[209.85.214.44]: 554 5.7.1 Service unavailable; Client host [209.85.214.44] blocked using dnsbl.sorbs.net; Currently Sending Spam See: http://www.sorbs.net/lookup.shtml?209.85.214.44; from=<xxxxxxxxxxxxxxx@gmail.com> to=<xxxxxxxxxxx@xxxxxxxx.com> proto=ESMTP helo=<mail-it0-f44.google.com> May 2 20:17:22 XXXX postfix/smtpd[6800]: NOQUEUE: reject: RCPT from mail-io0-f174.google.com[209.85.223.174]: 554 5.7.1 Service unavailable; Client host [209.85.223.174] blocked using dnsbl.sorbs.net; Currently Sending Spam See: http://www.sorbs.net/lookup.shtml?209.85.223.174; from=<xxxxxxxxxxxx@gmail.com> to=<contact@xxxxxxxxxxx.com> proto=ESMTP helo=<mail-io0-f174.google.com> May 2 20:18:34 XXXX postfix/smtpd[]: NOQUEUE: reject_warning: RCPT from mail-io0-f182.google.com[209.85.223.182]: 554 5.7.1 Service unavailable; Client host [209.85.223.182] blocked using dnsbl.sorbs.net; Currently Sending Spam See: http://www.sorbs.net/lookup.shtml?209.85.223.182; from=<xxxxxxxxxxx@gmail.com> to=<contact@xxxxxxxxxxxxx.com> proto=ESMTP helo=<mail-io0-f182.google.com> May 2 20:24:43 XXXX postfix/smtpd[]: NOQUEUE: reject_warning: RCPT from mail-io0-f181.google.com[209.85.223.181]: 554 5.7.1 Service unavailable; Client host [209.85.223.181] blocked using dnsbl.sorbs.net; Currently Sending Spam See: http://www.sorbs.net/lookup.shtml?209.85.223.181; from=<xxxxxxxxxxxxxx@gmail.com> to=<contact@xxxxxxxxxxx.com> proto=ESMTP helo=<mail-io0-f181.google.com>

@PanCakeConnaisseur
Copy link

reject_non_fqdn_hostname was replaced with reject_non_fqdn_helo_hostname since Postfix 2.3

@siniztr
Copy link

siniztr commented Jul 21, 2018

For zen.spamhaus.org you need to register an account and give them the IP and/or hostname for the mail server in use. If you don't do so, it will not allow you to use the service. I use zen.spamhaus.org and it works fine.

@tuaris
Copy link

tuaris commented Aug 8, 2018

@siniztr Is that new? if so how so I do that? I do not see the option anywhere on the site.

@amroot
Copy link

amroot commented Sep 27, 2018

@farrokhi Just FYI, I think cbl.abuseat.org is included in zen.spamhaus.org.

@siniztr and @tuaris, I could be wrong but I believe that's only for commercial and high volume usage.
Reference: https://www.spamhaus.org/organization/dnsblusage/
Signup if necessary: https://www.spamhaustech.com

Note, that some of my test servers use Zen without any signup.

@diraven
Copy link

diraven commented Oct 1, 2018

Read here about zen and it's free usage requirements: https://www.spamhaus.org/zen/

@xpufx
Copy link

xpufx commented Mar 4, 2020

Isn't it better to use postscreen and take care of the RBL stuff there?

@tuaris
Copy link

tuaris commented Sep 12, 2020

I'm not sure if this is done with Postfix, but I would like to see if its possible (when using dovecot) to have postfix deliver mail from blocked hosts to a junk/spam folder.

@oktayaa the postscreen thing looks interesting. Is their an example setup to look at?

@xpufx
Copy link

xpufx commented Sep 12, 2020

@tuaris I believe I used this as a reference. It also has a link to the documentation you need at the top.
http://rob0.nodns4.us/postscreen.html

@raforg
Copy link

raforg commented Jul 22, 2021

cbl.abuseat.org should be removed. If it still works at all, it's a subset of zen.spamhaus.org, so it's a wasteful DNS lookup. See https://www.abuseat.org/cutover.html for details.

Also, for postscren documentation, see http://www.postfix.org/POSTSCREEN_README.html (or http://www.postfix.org/POSTSCREEN_3_5_README.html for older versions).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment