How to enable RBL checking in postfix?

Question

How to enable RBL filters in postfix?

My current configuration:

submission inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
  -o smtpd_helo_restrictions=
  -o smtpd_sender_restrictions=reject_sender_login_mismatch,permit
  -o receive_override_options=no_header_body_checks,no_address_mappings
  -o smtpd_sender_restrictions=permit_sasl_authenticated,reject
  -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject

The mails are being sent and recieved.

When I add:

reject_rbl_client sbl-xbl.spamhaus.org,
reject_rbl_client bl.spamcop.net

Thunderbird loops forever during sending and nothing happens. /var/log/mail.* are empty.

This section of master.cf is for your _outgoing_ mail, not your _incoming_ mail. That's why it doesn't work here. — Michael Hampton, Jan 22 '15 at 15:17

score 10 · Answer 1 · answered Jan 22 '15 at 14:18

Your reject_rbl_client declaration goes into the smtpd_recipient_restrictions declaration found in main.cf. For my CentOS machines, that's in /etc/postfix/. The code you posted tends to show up in master.cf. That's a different file all-together.

This is what my smtpd_recipient_restrictions definition looks like:

smtpd_recipient_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_unauth_destination
        reject_unauth_pipelining,
        check_client_access hash:/etc/postfix/rbl_override,
        reject_unknown_reverse_client_hostname,
        reject_invalid_helo_hostname,
        reject_non_fqdn_helo_hostname,
        reject_non_fqdn_sender,
        reject_non_fqdn_recipient,
        reject_unknown_sender_domain,
        reject_unknown_recipient_domain,
        reject_invalid_hostname,
        check_client_access hash:/etc/postfix/client_checks,
        reject_rbl_client zen.spamhaus.org,
        reject_rbl_client bl.spamcop.net,
        reject_rbl_client b.barracudacentral.org,
        reject_rbl_client dnsbl.sorbs.net,
        check_policy_service unix:private/policy,
        permit

Keep in mind that many of clients (like Baracuda Central) requires that you register public IP address of server before usage. Some of them may not be free for your type of usage. — Miloš Đakonović, Dec 01 '17 at 10:40
`reject_unknown_client_hostname` "...This is a stronger restriction than the reject_unknown_reverse_client_hostname feature..." — dstonek, Feb 16 '19 at 23:14
David, how are you using use rb_override and client_checks (what purpose)? Can you extend your question with a couple samples and brief description? — KJ7LNW, Oct 18 '21 at 18:51

score 7 · Answer 2 · edited Apr 13 '17 at 12:14

As the others said, you put reject_rbl_client in wrong place. Set it in smtpd line master.cf or in main.cf.

If your postfix has version 2.8 higher, you can put the RBL checking in postscreen. You can get more info in Postscreen Howto page.

For example, the equivalent config of

reject_rbl_client sbl-xbl.spamhaus.org,
reject_rbl_client bl.spamcop.net

in postscreen terms is

postscreen_dnsbl_sites = sbl-xbl.spamhaus.org, bl.spamcop.net
postscreen_dnsbl_action = enforce

Some consideration where you put rbl check, smtpd_*_restriction or postscreen

Postcreen Pros

Check before any SMTP transaction because the input was only IP address
Use Caching mechanism when IP address doesn't found in RBL
Support weighted score for dnsbl site (for example your internal RBL was more trusted than spamhaus RBL, then you can put postscreen_dnsbl_sites = internal.rbl.example.com*3, spamhaus.org)
Weight can be negative value to get same effect with permit_dnswl_client

Postcreen Cons

You can exclude RBL checking from some sender/recipient. You still can whitelist IP Address.

See Sebix answer to this question and a thread in postfix mailing list

I'm currently researching a better postscreen implementation than the default, and I just stumbled upon this answer. Then I noticed that I answered this very same question! As of today, I've moved all of my RBL rules from smtpd_recipient_restrictions into postscreen. I've upvoted your answer. Thanks! :) — David W, Feb 14 '17 at 11:34

How to enable RBL checking in postfix?

2 Answers2