Enable and Configure Postscreen in Postfix to Block Spambots

In previous tutorials, we discussed how to set up a mail server from scratch on Linux (Ubuntu version, CentOS/RHEL version). This tutorial is going to show you how to enable and configure Postscreen in Postfix SMTP server. Postscreen is an SMTP filter that blocks spambots (or zombie machines) away from the real Postfix smtpd daemon, so Postfix does not feel overloaded and can process legitimate emails more efficiently.

Note: If you are using iRedMail or Modoboa, then Postscreen is enabled by default on your server. Still, you will learn something new.

Enable and Configure Postscreen in Postfix to Block Spambots

Reducing SMTP Server Overload

By default, Postfix can spawn up to 100 SMTP server processes to handle SMTP client connections. You can check the process limit by running the following command.

postconf default_process_limit

Sample output:

default_process_limit = 100

If spambots are constantly hitting your Postfix SMTP server, then there will be less Postfix SMTP server processes to accept legitimate email messages. And when the number of SMTP clients exceeds the number of Postfix SMTP server processes, other SMTP clients must wait until an SMTP server process becomes available.

By blocking spambots with Postscreen, we can save SMTP server processes for legitimate SMTP clients. Postscreen is designed as a first layer of defense against spammers. It is implemented as a single process listening on port 25 and can handle multiple inbound SMTP connections. It’s fast and lightweight, compared to using other SMTP-level access checks.

Measurements Used By Postscreen Against Spambots

Most spambots have faulty SMTP protocol implementation. Postscreen can take advantage of this fact and use several measurements to block spambots.

  • Pregreet test. If the SMTP client speaks before its turn, stop the connection.
  • Real-time blacklist check. If the SMTP client’s IP address is on a blaclist, such as Spamhaus, stop the connection.
  • Deep protocol test.

Step 1: Enable Postscreen in Postfix

Postscreen is first introduced in Postfix 2.8. If you are using any current Linux distribution, you should have Postfix 3.0 or above. To check your Postfix version, run

postconf mail_version

Sample output:

mail_version = 3.3.0

Edit the Postfix master configuration file.

sudo nano /etc/postfix/master.cf

Comment out the following line (add a # character at the begining of this line).

smtp      inet  n       -       y       -       -       smtpd

Then uncomment the following 4 lines (remove the # character at the beginning of each line).

smtp      inet  n       -       y       -       1       postscreen
smtpd     pass  -       -       y       -       -       smtpd
dnsblog   unix  -       -       y       -       0       dnsblog
tlsproxy  unix  -       -       y       -       0       tlsproxy

Where:

  • The first two lines enables Postscreen. Both Postscreen and the smtpd daemon will be listening on port 25. Postscreen will check the SMTP client first and then pass the connection to smtpd daemon.
  • The dnsblog (DNS Blacklist Logger) service enables logging of DNS blacklist checks.
  • The tlsproxy service enables STARTTLS support for postscreen, so remote SMTP clients can establish encrypted connection when Postscreen is enabled.

Save and close the file. (Don’t restart Postfix just yet.)

postfix enable postscreen

Create Permanent Whitelist/Blacklist

Edit the Postfix main configuration file.

sudo nano /etc/postfix/main.cf

We need to add our own IP addresses to the Postscreen whitelist so that our own SMTP requests won’t be tested by Postscreen (pregreet test, blacklist checking, deep protocol test, etc). Add the following two lines at the end of the file.

postscreen_access_list = permit_mynetworks cidr:/etc/postfix/postscreen_access.cidr
postscreen_blacklist_action = drop

Save and close the file. The permit_mynetworks value will whitelist any IP address listed in the mynetworks parameter. To check the value of mynetworks, run

postconf mynetworks

Sample output:

mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128

You can also manually add additional IP addresses in the /etc/postfix/postscreen_access.cidr file.

sudo nano /etc/postfix/postscreen_access.cidr

You might want to whitelist your mail server’s public IPv4 and IPv6 address. So I add the following lines in the file. Replace the IP addresses with your own. Note that you need to use the CIDR notation: For a single IPv4 address, add /32 at the end; For a single IPv6 address, add /128 at the end.

#permit my own IP addresses.
130.51.180.110/32             permit
2a0d:7c40:3000:b8b::2/128     permit

If your mail server also runs a VPN server, you may want to add the VPN server’s address to the whitelist. For example, my VPN server uses the 10.10.10.1 private IP address, so I add the following line in the file.

10.10.10.1/32                 permit

If you want to permanently blacklist an IP address, you can do so like below.

12.34.56.78/32                reject

Save and close the file. Restart Postfix for the changes to take effect.

sudo systemctl restart postfix

Note: Postscreen listens on port 25 only, so authenticated users from port 587 or 465 won’t be affected by Postscreen.

Postscreen itself also maintains a dynamic whitelist to minimize the delay for legitimate emails, defined by the postscreen_cache_map parameter.

postconf postscreen_cache_map

Sample output:

postscreen_cache_map = btree:$data_directory/postscreen_cache

Each IP address in the dynamic whitelist has a lifetime.

Step 2: Pregreet Test

There is a pregreet test in Postscreen to detect spam. As you may already know, in SMTP protocol, the receiving SMTP server should always declare its hostname before the sending SMTP server does so. Some spammers violate this rule and declare their hostnames before the receiving SMTP server does.

By default, Postscreen enables the pregreet test, but won’t do anything with the test result. As you can see from the following lines in my mail log (/var/log/mail.log or /var/log/maillog), the “PREGREET” text indicates the SMTP client declared its hostname first, but Postscreen still passed the connection to Postfix smtpd daemon.

mail postfix/postscreen[24075]: CONNECT from [156.96.118.171]:62604 to [23.254.225.226]:25
mail postfix/postscreen[24075]: PREGREET 11 after 0.07 from [156.96.118.171]:62604: EHLO User\r\n
mail postfix/smtpd[24076]: connect from unknown[156.96.118.171]
mail postfix/smtpd[24076]: disconnect from unknown[156.96.118.171] ehlo=1 quit=1 commands=2

To reject SMTP clients that violate this rule, edit the Postfix main configuration file.

sudo nano /etc/postfix/main.cf

Add the following line at the end.

postscreen_greet_action = enforce

Save and close the file. Then restart Postfix.

sudo systemctl restart postfix

From now on, Postscreen will stop connection if an SMTP client violate this rule. As you can see the from the following log, Postscreen stopped the connection, so the spammer doesn’t have a chance to harass the smtpd daemon.

mail postfix/postscreen[6471]: CONNECT from [192.241.239.123]:48014 to [23.254.225.226]:25
mail postfix/postscreen[6471]: PREGREET 19 after 0 from [192.241.239.123]:48014: EHLO zg-0131a-136\r\n
mail postfix/postscreen[6471]: DISCONNECT [192.241.239.123]:48014

Postscreen still allow other tests to complete before stopping the connection. If you prefer to drop the connection immediately without doing other tests, use the following setting instead.

postscreen_greet_action = drop

Step 3: Using Public Blacklists & Whitelists

The postscreen_dnsbl_sites parameter can be used to check SMTP client’s IP address against public blacklists (DNSBL). You might be already using Postfix smtpd’s reject_rbl_client to reject an SMTP client if its IP address is on a public blacklist. However, that can cause false positives because an innocent SMTP server’s IP address could be on a blacklist for whatever reason, even if you use permit_dnswl_client to also check against public whitelist (DNSWL).

To reduce false positives, Postscreen allows you to check multiple blacklists and add weight factor to each blacklist. For example, if an IP address is on Spamhaus blacklist, add 3 points; if an IP address is on the BarracudaCentral blacklist, add 2 points. If the combined score is high enough (defined by postscreen_dnsbl_threshold), reject the SMTP client. This scoring system is similar to that of SpamAssassin.

In the following configuration, we set the threshold to 3 points. Spamhaus has weight of 3. BarracudaCentral has weight of 2. SpamCop has weight of 1. If the combined score is equal to or greater than 3, Postscreen would reject the SMTP client.

postscreen_dnsbl_threshold = 3
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites =
        zen.spamhaus.org*3
        b.barracudacentral.org=127.0.0.[2..11]*2
        bl.spameatingmonkey.net*2
        bl.spamcop.net
        dnsbl.sorbs.net

We can also use postscreen_dnsbl_sites to check SMTP client’s IP address against public whitelist (DNSWL). If a client’s IP address is on whitelist, add a negative score.

postscreen_dnsbl_sites =
        zen.spamhaus.org*3
        b.barracudacentral.org=127.0.0.[2..11]*2
        bl.spameatingmonkey.net*2
        bl.spamcop.net
        dnsbl.sorbs.net
       swl.spamhaus.org*-4,
       list.dnswl.org=127.[0..255].[0..255].0*-2,
       list.dnswl.org=127.[0..255].[0..255].1*-4,
       list.dnswl.org=127.[0..255].[0..255].[2..3]*-6

If you use Postfix smtpd’s reject_rbl_clientor permit_dnswl_client parameter, you should delete them now, so smtpd daemon won’t perform IP checks again after Postscreen. Postscreen doesn’t check domain name based blacklist/whitelist, so we should continue using reject_rhsbl to perform domain name lookup on public blacklists.

smtpd_recipient_restrictions =
     permit_mynetworks,
     permit_sasl_authenticated,
     ...
     ...
     reject_rhsbl_helo dbl.spamhaus.org,
     reject_rhsbl_reverse_client dbl.spamhaus.org,
     reject_rhsbl_sender dbl.spamhaus.org,

Save and close the Postfix main configuration file. Then restart Postfix for the changes to take effect.

sudo systemctl restart postfix

Note: If see the following message in your mail log, it means the SMTP client’s IP address is not on the whitelist (list.dnswl.org). This is not an error.

warning: dnsblog_query: lookup error for DNS query 161.223.143.185.list.dnswl.org: Host or domain name not found. Name service error for name=161.223.143.185.list.dnswl.org type=A: Host not found, try again

If it’s on the whitelist, the message will look something like this:

postfix/dnsblog[21188]: addr xx.xx.xx.xx listed by domain list.dnswl.org as 127.0.10.0

If an IP address is listed as 127.0.0.255 on list.dnswl.org, like in following message, it means you have reached the query limit. You should run your own local DNS resolver.

postfix/dnsblog[11951]: addr 202.66.174.152 listed by domain list.dnswl.org as 127.0.0.255

Also note that BarracudaCentral Blocklist requires registration, which is free of charge. After creating an account, simply add the IP address of your DNS resolver and you are done.

Running Your own Local DNS Resolver

Note that you should set up a local DNS resolver on your mail server when using public blacklists and whitelists, because most of them have query limit. If you use public DNS resolver like 8.8.8.8, you will likely to reach the query limit sooner than you think.

Some Dead/Closed DNSBL sites

You should not use dead or closed DNSBL sites, or your mail server will reject legitimate emails.

  • dnsbl.njabl.org: has been offline since 2013.
  • dnsbl.ahbl.org: Public access to the list was terminated in 2015.

Step 4: Enable Deep Protocol Tests

There are 3 common deep protocol tests in Postscreen:

  • SMTP pipelining test
  • Non-SMTP command test
  • Bare newline test

Pipelining is an extension to the SMTP protocol. It allows the SMTP client to send multiple SMTP command at once without waiting for response from SMTP server. Postfix supports pipelining by default. To check, use telnet to connect to your mail server.

telnet mail.yourdomain.com 25

Then use the EHLO command to declare your hostname.

EHLO mail.google.com

The SMTP server’s response below indicates it support pipelining.

250-PIPELINING
250-SIZE 157286400
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

Then quit the connection.

quit

Some spammers would use command pipeling to issue multiple RCPT TO: commands at once, in order to send spam to multiple recipients in one SMTP session. If the SMTP server doesn’t announce pipelining support, then the SMTP client should not issue multiple commands at once.

Add the following two lines in /etc/postfix/main.cf file to enable pipeling test and reject SMTP clients that fail this test.

postscreen_pipelining_enable = yes
postscreen_pipelining_action = enforce

As the name suggests, non-SMTP command test makes Postscreen detect SMTP clients that send non-SMTP commands. Add the following two lines in /etc/postfix/main.cf file to reject such SMTP clients.

postscreen_non_smtp_command_enable = yes
postscreen_non_smtp_command_action = enforce

The bare newlines test allows Postscreen to detect SMTP clients that end a line with <LF>, instead of the standard <CR><LF>. Add the following two lines in /etc/postfix/main.cf file to reject such SMTP clients.

postscreen_bare_newline_enable = yes 
postscreen_bare_newline_action = enforce

Save and close the file. Then restart Postfix for the changes to take effect.

sudo systemctl restart postfix

The Greylisting Effect of Deep Protocol Tests

The limitation of deep protocol tests is that Postscreen would disconnect new SMTP clients no matter the tests are passed or not. Postscreen disconnects each client with the following message:

450 4.3.2 Service currently unavailable

And the client must try again later from the same IP address. This is effectively a form of greylisting, so you need to disable other forms of greylisting. For example, if you followed my previous tutorial to use Postgrey as the greylisting policy server, then find the following line in /etc/postfix/main.cf file and comment it out.

check_policy_service inet:127.0.0.1:10023,

Save and close the file. Then restart Postfix.

sudo systemctl restart postfix

How to Minimize Bad User Experience

Greylisting is rather annoying for the end user, as the user has to wait another several minutes for the email to arrive. To minimize this bad experience, there are 3 ways I can think of when using Postscreen deep protocol tests.

  • Create a second MX record that points to the same IP address.
  • If an SMTP client’s IP address is on a public whitelist, skip the deep protocol tests.
  • Use Postwhite to add known good IP addresses to the Postscreen whitelist.

Create a second MX record that points to the same IP address

You can specify more than one MX record for your domain name like below.

Record Type    Name      Mail Server            Priority

MX             @         mail.yourdomain.com     0
MX             @         mail2.yourdomain.com    5

The sender will try the first mail server (with priority 0). If mail.yourdomain.com rejects email by greylisting, then the sender would immediately try the second mail server (with priority 5).

Greylisting in Postscreen doesn’t have a delay time like in Postgrey. If the two mail server hostnames have the same IP address, then when the sender tries the second mail server hostname, the email will be accepted immediately (if all other checks pass) and end users will not notice email delay caused by greylisting.

Note that not all mail servers would immediately try the second MX host. Some mail servers like Gmail would use a different IP address to try again, which of course will be rejected again. Postfix would try the second MX host by default. I don’t know if it’s also the case with Exim. If you run Exim SMTP server, please comment below.

Skip Deep Protocol Tests If an SMTP Client’s IP Address is on a Public Whitelist

Gmail will never retry sending email from the same IP address. However, Gmail’s IP address is on list.dnswl.org. We can tell Postscreen to ignore such SMTP clients. Add the following line in the /etc/postfix/main.cf file to ignore clients whose score is equal to -2 or below.

postscreen_dnsbl_whitelist_threshold = -2

Restart Postfix for the changes to take effect.

sudo systemctl restart postfix

The following message in my mail log indicates Postscreen didn’t perform deep protocol tests and passed the connection to smtpd daemon because Gmail’s IP address is on the public whitelist.

Feb 10 10:31:14 mail postfix/postscreen[16579]: CONNECT from [209.85.166.44]:38543 to [23.254.225.226]:25
Feb 10 10:31:14 mail postfix/dnsblog[16582]: addr 209.85.166.44 listed by domain list.dnswl.org as 127.0.5.0
Feb 10 10:31:15 mail postfix/postscreen[16579]: PASS NEW [209.85.166.44]:38543
Feb 10 10:31:15 mail postfix/smtpd[16639]: connect from mail-io1-f44.google.com[209.85.166.44]

As a matter of fact, most major mailbox providers (Gmail, Hotmail, Outlook, Yahoo Mail, GMX Mail, ProtonMail, etc) are whitelisted on list.dnswl.org. It also includes mail servers in other industries, as can be seen on dnswl.org.

  • 2 – Financial services
  • 3 – Email Service Providers
  • 4 – Organisations (both for-profit [ie companies] and non-profit)
  • 5 – Service/network providers
  • 6 – Personal/private servers
  • 7 – Travel/leisure industry
  • 8 – Public sector/governments
  • 9 – Media and Tech companies
  • 10 – some special cases
  • 11 – Education, academic
  • 12 – Healthcare
  • 13 – Manufacturing/Industrial
  • 14 – Retail/Wholesale/Services
  • 15 – Email Marketing Providers
  • 20 – Added through Self Service without specific category

So using postscreen_dnsbl_whitelist_threshold will help you skip greylisting most of the time.

Using Postwhite

Postwhite is a script written by Steve Jenkins to automatically generate a static IP whitelist for Postscreen by using the published SPF records of known webmailers, social networks, ecommerce providers, and compliant bulk senders. Note that this whitelist would make Postscreen skip all tests (pregreet test, public blacklist/whitelist check, deep protocol tests) for the whitelisted IP addresses, so it will help reduce the load on Postscreen and DNS requests to public blacklists/whitelists.

To use Postwhite, first cd to /usr/local/bin/.

cd /usr/local/bin/

Install git.

sudo apt install git

or

sudo dnf install git

Clone the SPF-Tools and Postwhite Github repository.

sudo git clone https://github.com/spf-tools/spf-tools.git
sudo git clone https://github.com/stevejenkins/postwhite.git

Copy the postwhite.conf file to /etc/.

sudo cp /usr/local/bin/postwhite/postwhite.conf /etc/

Run Postwhite.

sudo /usr/local/bin/postwhite/postwhite

postscreen whitelisting postwhite

The whitelist will be save as /etc/postfix/postscreen_spf_whitelist.cidr. Edit Postfix main configuration file.

sudo nano /etc/postfix/main.cf

Find the following line.

postscreen_access_list = permit_mynetworks cidr:/etc/postfix/postscreen_access.cidr

Add the new whitelist file.

postscreen_access_list = permit_mynetworks cidr:/etc/postfix/postscreen_access.cidr cidr:/etc/postfix/postscreen_spf_whitelist.cidr

Save and close the file. Then restart Postfix for the changes to take effect.

sudo systemctl restart postfix

Edit the root user’s crontab file.

sudo crontab -e

Add the following two lines at the end to regularly update the whitelist.

@daily /usr/local/bin/postwhite/postwhite > /dev/null 2>&1 #Update Postscreen Whitelists
@weekly /usr/local/bin/postwhite/scrape_yahoo > /dev/null 2>&1 #Update Yahoo! IPs for Postscreen Whitelists

Save and close the file. Now if you send an email from Gmail to your own domain email address, and check the mail log, you will find Postscreen doesn’t perform any tests, because the IP address is whitelisted.

Feb 10 13:04:17 mail postfix/postscreen[24895]: CONNECT from [209.85.166.44]:38257 to [23.254.225.226]:25
Feb 10 13:04:17 mail postfix/postscreen[24895]: WHITELISTED [209.85.166.44]:38257
Feb 10 13:04:17 mail postfix/smtpd[26596]: connect from mail-io1-f44.google.com[209.85.166.44]

My Postscreen Configuration in /etc/postfix/main.cf file

postscreen public whitelist

Step 5: Analyze Postfix Logs

Pflogsumm is a great tool to create a summary of Postfix logs. Install it on Ubuntu with:

sudo apt install pflogsumm

On CentOS/RHEL, pflogsumm is provided by the postfix-perl-scripts package.

sudo dnf install postfix-perl-scripts

Use the following command to generate a report for today. (Note that on CentOS/RHEL, the mail log file is /var/log/maillog.)

sudo pflogsumm -d today /var/log/mail.log

Generate a report for yesterday.

sudo pflogsumm -d yesterday /var/log/mail.log

If you like to generate a report for this week.

sudo pflogsumm /var/log/mail.log

To emit “problem” reports (bounces, defers, warnings, rejects) before “normal” stats, use --problems-first flag.

sudo pflogsumm -d today /var/log/mail.log --problems-first

To append the email from address to each listing in the reject report, use --rej-add-from flag.

sudo pflogsumm -d today /var/log/mail.log --rej-add-from

To show the full reason in reject summaries, use --verbose-msg-detail flag.

sudo pflogsumm -d today /var/log/mail.log --rej-add-from --verbose-msg-detail

You can add a cron job to make pflogsumm to send a report to your email address every day.

sudo crontab -e

Add the following line, which will generate a report every day at 4:00 AM.

0 4 * * * /usr/sbin/pflogsumm -d yesterday /var/log/mail.log --problems-first --rej-add-from --verbose-msg-detail -q

To receive the report via email, add the following line above all cron jobs.

MAILTO="[email protected]"

You should pay attention to the message reject detail section, where you can see for what reason those emails are rejected and if there’s any false positives. Greylisting rejections are safe to ignore. The following screenshot indicates that the SMTP client failed Postscreen deep protocol tests.

postscreen deep protocol tests

If the MAILTO variable has already been set but you want Postfix log summary sent to a different email address, you can put the following line in your Cron job.

0 4 * * * /usr/sbin/pflogsumm -d yesterday /var/log/mail.log --problems-first --rej-add-from --verbose-msg-detail -q | mutt -s "Postfix log summary"  [email protected]

The output of pflogsumm command is redirected to mutt, a command line mail user agent, which will use the output as the email body and send it to the email address you specify at the end. You need to install mutt on your Linux server.

sudo apt install mutt

or

sudo dnf install mutt

Postfix Reverse DNS Lookup Error on CentOS/RHEL

If your Postfix SMTP server runs on CentOS/RHEL, then it might not be able to perform reverse DNS lookup after Postscreen is enabled. In this case, an IP address that has PTR record will still be identified as unknown in Postfix log (/var/log/maillog).

postfix/smtpd[14734]: connect from unknown[23.254.225.226]

To fix this, we need to copy libraries needed for reverse DNS lookup inside the chroot environment.

sudo mkdir /var/spool/postfix/lib64

sudo cp -vl /usr/lib64/libnss_* /var/spool/postfix/lib64

Then restart Postfix.

sudo systemctl restart postfix

/var/spool/postfix/etc/resolv.conf  and /etc/resolv.conf differ on Debian/Ubuntu

You should set up a DNS resolver on your mail server when using public blacklists and whitelists. However, you might see the following error in /var/log/mail.log on Debian/Ubuntu servers after installing a DNS resolver.

/var/spool/postfix/etc/resolv.conf and /etc/resolv.conf differ

Postfix checks the /var/spool/postfix/etc/resolv.conf file to determine which DNS resolver to use. You should not edit this file directly, because it will be overwritten when the server reboots.

To make sure the content in /var/spool/postfix/etc/resolv.conf  and /etc/resolv.conf are the same, do the following.

Enabled named-resolvconf.service and systemd-resolved.service.

sudo systemctl enable named-resolvconf.service systemd-resolved.service

Then create a directory for Postfix to store your customizations.

sudo mkdir -p /etc/systemd/system/postfix.service.d/

Create a start.conf file.

sudo nano /etc/systemd/system/postfix.service.d/start.conf

Add the following two lines in this file.

[Unit]
After=systemd-resolved.service named-resolvconf.service

Save and close the file.

This way, postfix.service will start after named-resolvconf.service and systemd-resolved.service.

You can also create the following Cron job to set the DNS resolver to 127.0.0.1.

* * * * * echo "nameserver 127.0.0.1" | tee /var/spool/postfix/etc/resolv.conf > /dev/null

Wrapping Up

I hope this tutorial helped you use Postscreen to block spambots. As always, if you found this post useful, then subscribe to our free newsletter to get more tips and tricks. Take care 🙂

Rate this tutorial
[Total: 20 Average: 5]

29 Responses to “Enable and Configure Postscreen in Postfix to Block Spambots

  • Not bad for a girl. Joking aside. This is one of the most complete tutorials on the subject. Very well done.

    Tiny bit more info on postscreen_dnsbl_whitelist_threshold might be useful. I didn’t get why it doesn’t have its own _sites = at first.

  • bornemisza
    4 years ago

    I’m appreciate every details! Still the best tutorials 🙂

    Ps: Rejection rate moved from 49% to 71% which is very cool. Plus the pflogsumm tool is great!

  • bornemisza
    4 years ago

    I started to use the pflogsumm with crontab email reporting. The email address is defined in crontab just as you mentioned, but I receive the reports on [email protected] address and not on the defined one. Can you give me a suggestion where to start the debugging?

    • Xiao Guoan (Admin)
      4 years ago

      [email protected] is the From address. That’s not an error.

      • bornemisza
        4 years ago

        Currently the [email protected] is both From and To address. I receiving the email on my [email protected] which connected to unix user maybe? Akward situation.

        Return-Path:
        Delivered-To: [email protected]
        Received: from mail.domain.tld
        by mail.domain.tld with LMTP id CEvgCDKlrF9qJAAA2LupqA
        for ; Thu, 12 Nov 2020 04:00:02 +0100
        Received: by mail.domain.tld (Postfix)
        id 0146343A1F; Thu, 12 Nov 2020 04:00:02 +0100 (CET)
        Delivered-To: [email protected]
        Received: by mail.domain.tld (Postfix, from userid 0)
        id D2AF743A20; Thu, 12 Nov 2020 04:00:01 +0100 (CET)
        From: [email protected] (Cron Daemon)
        To: [email protected]
        Subject: Cron /usr/sbin/pflogsumm -d yesterday /var/log/mail.log –problems-first –rej-add-from –verbose-msg-detail -q

    • Xiao Guoan (Admin)
      4 years ago

      You can try using mutt to send emails. Put the following line in your Cron job.

      0 4 * * * /usr/sbin/pflogsumm -d yesterday /var/log/mail.log --problems-first --rej-add-from --verbose-msg-detail -q | mutt -s "Postfix log summary"  [email protected]

      The output of pflogsumm command is redirected to mutt, a command-line mail user agent, which will use the output as the email body and send it to the email address you specify at the end. You need to install mutt on your Linux server.

      sudo apt install mutt

      or

      sudo dnf install mutt
      • bornemisza
        4 years ago

        Thank you very much of your fast response and your described suggestion! Solved my problem 🙂

  • Hello Xiao,

    Thank You so much for this tutorial….

    Is there a similar scheme for the 587 port bots spammers ?


    Kindest Regards,
    Ale

  • PerPlex
    3 years ago

    Hello Xiao,

    First I want to thank you, I am a trainee for a little hosting provider and since there is a lot of self paced training your Tutorials learned me a lot!!!

    I ran through your whole guide and Installed up to now Postfix, Dovecot, Postgrey, Postfixadmin, SPF/DKIM, DMARC, Spamassassin, ClamAV and Amavis.

    But now I am stuck at the very last step the Postscreen configuration.

    For this I have two major questions:

    1. How do I configure the Public Blacklists & Whitelists?

    Sry for the stupid question but I totally get that I have to add these lines into the configuration file (right? 😀 ) but I do not really get which configuration file.

    I didnt had time today to just trail n error but do I have to edit this in /etc/postfix/main.cf ?

    2. Why do I not recieve mails from my Outlook mail ?

    Ive tried a bit and my AOL mail is working fine but I can not get my outlook mails throug the postscreen it always says:

    450 4.3.2 Service currently unavailable

    I hope you can help me with that.

    Thanks in advance

    • Xiao Guoan (Admin)
      3 years ago

      1. Yes, you need to add those lines in /etc/postfix/main.cf file.
      2. If you add the following line /etc/postfix/main.cf file you should be able to receive emails from Outlook.

      postscreen_dnsbl_whitelist_threshold = -2

      Use the 3 tips I mentioned in “How to Minimize Bad User Experience” section.

  • Jose Pascoal
    3 years ago

    I have a problem after doing this tutorial, the emails were rejected with the following logs:

    NOQUEUE: reject: RCPT from unknown[209.85.208.48]: 450 4.7.1 : Helo command rejected: Host not found;
    NOQUEUE: reject: RCPT from unknown[209.85.208.47]: 450 4.7.1 Client host rejected: cannot find your reverse hostname;

    I think it is a problem with dns querys, but I followed your tutorials and my dns is queriying well.

    • Xiao Guoan (Admin)
      3 years ago

      What’s your operating system? Have you tried the method descried in “Postfix Reverse DNS Lookup Error on CentOS/RHEL” at the end of this article?

      • Jose Pascoal
        3 years ago

        I’m using my own dns but they are in other virtual machine, maybe is because of that.

      • Jose Pascoal
        3 years ago

        I found a solution, in section: Postfix Reverse DNS Lookup Error on CentOS/RHEL, i had to do an additional step:

        I had to copy the file /etc/resolv.conf to /var/spool/postfix/etc/

  • Messages from Gmail don’t come through for me, and I get the following logs:

        Jul 20 10:04:48 localhost postfix/postscreen[26653]: CONNECT from [2a00:1450:4864:20::230]:36446 to [my-server-ip]:25
        Jul 20 10:04:48 localhost postfix/dnsblog[26656]: warning: dnsblog_query: lookup error for DNS query 0.3.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.5.4.1.0.0.a.2.list.dnswl.org: Host or domain name not found. Name service error for name=0.3.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.5.4.1.0.0.a.2.list.dnswl.org type=A: Host not found, try again
        Jul 20 10:04:54 localhost postfix/tlsproxy[26659]: CONNECT from [2a00:1450:4864:20::230]:36446
        Jul 20 10:04:54 localhost postfix/tlsproxy[26659]: Anonymous TLS connection established from [2a00:1450:4864:20::230]:36446: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
        Jul 20 10:04:54 localhost postfix/postscreen[26653]: NOQUEUE: reject: RCPT from [2a00:1450:4864:20::230]:36446: 450 4.3.2 Service currently unavailable; from=, to=, proto=ESMTP, helo=
        Jul 20 10:04:54 localhost postfix/postscreen[26653]: PASS NEW [2a00:1450:4864:20::230]:36446
        Jul 20 10:04:54 localhost postfix/tlsproxy[26659]: DISCONNECT [2a00:1450:4864:20::230]:36446
        Jul 20 10:04:54 localhost postfix/postscreen[26653]: DISCONNECT [2a00:1450:4864:20::230]:36446
        Jul 20 10:04:58 localhost postfix/anvil[26630]: statistics: max connection rate 1/60s for (submission:37.191.230.4) at Jul 20 10:01:37
        Jul 20 10:04:58 localhost postfix/anvil[26630]: statistics: max connection count 1 for (submission:37.191.230.4) at Jul 20 10:01:37
        Jul 20 10:04:58 localhost postfix/anvil[26630]: statistics: max cache size 1 at Jul 20 10:01:37
    

    However, I am able to receive messages from some non-gmail accounts.

    • Xiao Guoan (Admin)
      2 years ago

      I recommend disabling IPv6 in Postfix, as the IPv6 address of Gmail isn’t on the dnswl.org whitelist.

  • Linuxdude
    2 years ago

    I wonder if creating a second MX record that points to the same IP address does make sense,
    since i can only set one PTR record per IP (so only mail.yourdomain.com would have a PTR record)?

    • Xiao Guoan (Admin)
      2 years ago

      PTR record is a record for IP address. A hostname like mail.yourdomain.com doesn’t have PTR record.

      An IP address should have only one PTR record. You don’t need to create another PTR record. PTR works when your mail server sends email, it doesn’t affect receiving email from other SMTP servers.

  • Łukasz
    2 years ago

    Hi

    Thank You for great HowTO .
    I have question about this DNSBLs :

    bl.spameatingmonkey.net
    bl.spamcop.net
    dnsbl.sorbs.net

    Are they still good option to implement to postscreen ? Are they usable this days ? I’m aware if they are some kind of scam like uceprotect ?

  • Thanks for this tutorial.
    I have finally moved on from step 3 and completed everything, with a few hickups. one issue i now have is the cron jobs are not working. sending the emails. I can’t seem to find anything in the mail.log relating to an attempt to send.
    I have set the job as listed, the active job is set to go to a user already setup. the disabled job was tested on an external email account. no joy
    I tried running the jobs using MUTT (installed) nothing happened. I have also tried the cron job as using a suggestion by another post using /usr/bin/perl (nothing sent)

    this was run as acommand

      sudo /usr/sbin/pflogsumm -d yesterday /var/log/mail.log --problems-first --rej-add-from --verbose-msg-detail -q | mutt -s "postfix summary" [email protected] 

    Cron

     MAILTO="[email protected]"
    30 6 * * * /usr/sbin/pflogsumm -d yesterday /var/log/mail.log --problems-first --rej-add-from --verbose-msg-detail -q
    #30 6 * * * /usr/bin/perl /usr/sbin/pflogsumm -d yesterday /var/log/mail.log --problems-first --rej-add-from --verbose-msg-detail -q
    #30 6 * * * /usr/sbin/pflogsumm -d yesterday /var/log/mail.log --problems-first --rej-add-from --verbose-msg-detail -q | mutt -s "Postfix log summary" [email protected] 
    • I have answered my own post.
      there is a missing switch in the cron job using MUTT
      you need to add -y to the end of the command.
      Hope this helps someone

      from

       0 4 * * * /usr/sbin/pflogsumm -d yesterday /var/log/mail.log --problems-first --rej-add-from --verbose-msg-detail -q | mutt -s "Postfix log summary"  [email protected] 

      to

       0 4 * * * /usr/sbin/pflogsumm -d yesterday /var/log/mail.log --problems-first --rej-add-from --verbose-msg-detail -q | mutt -s "Postfix log summary"  [email protected]  -y 
  • Russell Heaton
    1 year ago

    Hi Xiao. To set up an account with barracuda.org, one has to register the DNS server addresses that they expect queries from my mail server to emanate from. So, if we go further into the tutorial you recommend setting up our own DNS resolver which won’t have a public IP. How can we do both? How can we direct queries to barracuda.org while having a DNS resolver that has no public network IP address?
    Russ

    • Russell Heaton
      1 year ago

      domain for Barracuda should read “barracudacentral.org”

  • Lukasz
    1 year ago

    dig +short @1.1.1.1 2.0.0.127.swl.spamhaus.org TXT
    “This list is no longer in operation, please deconfigure it.

    any good whitelists ?

  • I Create a second MX record that points to the same IP address after following your tutorial here, but I am still having issues receiving emails (mostly automated confirmation emails to verify my email address when signing up for a service) that are discarded/rejected. It seems like the sender is not utilizing the MX record with priority 5 and I’m wondering why that could be. Is it because I have set up my system (per your instructions) to use “DISCARD” instead of “REJECT”? As of now, I am having to look at my logs, and manually whitelist the sender address that is being rejected, which is super tedious and takes time. Is there a way to FIX the sender to utilize the second MX record that I created in an attempt to resend their email?

  • Anderson Koh
    7 months ago

    Hi Xiao Guoan,

    Lately my server have spam zombie/spambot (Sorry not sure what’s the different), anyway they passthrough my config and send massive email to people. So I take a look at my main.cf and try to understand what is missing and reference from your config with official postfix docs.

    Then halfway I’m confused by your config because some config were not appeared in the related section. I not sure if yours config will work in the different restriction which I believe yes because no one had complaint or asked and no erros on mail.log.

    Out of my curiosity, will it work as expected? And some configs are actually implicit with other configs which looks like redundant.

    Example confusion:

    smtp_recipient_restriction =
        ...
        ...
        reject_rhsbl_helo dbl.spamhaus.org,
        ...
    

    Where

    reject_rhsbl_helo dbl.spamhaus.org

    suppose in

    smtpd_helo_restriction

    that found in the official Postfix doc.

    Example configs are actually implied:

    check_recipient_access hash:/etc/postfix/recipient_access
    # Is implied with reject_unknown_client (even the recipient_access is empty).
    

    Also do you suggest to have these config for extra protection after spammer have all this event?

    smtpd_error_sleep_time = 1s
    smtpd_soft_error_limit = 3
    smtpd_hard_error_limit = 2
    smtpd_client_connection_count_limit = 2
    smtpd_client_connection_rate_limit = 2
    smtpd_client_new_tls_session_rate_limit = 2
    

    Thanks in advance!

  • Is there a reason why you do not use `postscreen_whitelist_interfaces` to deny connections that try to send through the secondary? Setting up an MX record that points to the same address feels a bit unnecessary in comparison.

    • Ah, I see – it’s because you’d need to set up an interface on the primary. OK.

Leave a Comment

  • Comments with links are moderated by admin before published.
  • Your email address will not be published.
  • Use <pre> ... </pre> HTML tag to quote the output from your terminal/console.
  • Please use the community (https://community.linuxbabe.com) for questions unrelated to this article.
  • I don't have time to answer every question. Making a donation would incentivize me to spend more time answering questions.

The maximum upload file size: 2 MB. You can upload: image. Links to YouTube, Facebook, Twitter and other services inserted in the comment text will be automatically embedded. Drop file here