Postfix Configuration - UCE Controls


Up one level | Basic Configuration | UCE Controls | Rate Controls | Resource Controls | Address Manipulation

Introduction

Postfix offers a variety of parameters that limit the delivery of unsolicited commercial email (UCE).

By default, the Postfix SMTP server will accept mail only from or to the local network or domain, so that your system can't be used as a mail relay to forward bulk mail from random strangers.

The text in this document describes how you can set up more detailed anti-UCE policies that prevent delivery of unwanted email altogether, for example with sendmail-style access lists or with RBL (real-time blackhole list) name servers.

Unless indicated otherwise, all parameters described here are in the main.cf file. If you change parameters of a running Postfix system, don't forget to issue a postfix reload command.

Client name/address restrictions

The smtpd_client_restrictions parameter restricts what clients this system accepts SMTP connections from.

Default:
Allow SMTP connections from any client.

Syntax:
Specify a list of zero or more restrictions, separated by whitespace or commas. Restrictions are applied in the order as specified; the first restriction that matches wins.

Examples:
smtpd_client_restrictions = hash:/etc/postfix/access, reject_maps_rbl
smtpd_client_restrictions = permit_mynetworks, reject_unknown_client

Restrictions:
permit
reject
Permit (reject) the request. This restriction is useful at the end of a restriction list, to make the default policy explicit. The reject_code configuration parameter specifies the response code to rejected requests (default: 550).

reject_unknown_client
Reject the request when the client address to name lookup failed. The unknown_client_reject_code parameter specifies the response code to rejected requests (default: 450).

permit_mynetworks
Permit the request when the client address matches any network listed in $mynetworks.

check_client_access maptype:mapname
maptype:mapname
Search the named access database for the client name, parent domains, client address, or networks obtained by stripping least significant octets. Reject if the result is REJECT or "[45]XX text". Permit otherwise. The access_map_reject_code parameter specifies the response code for REJECT results (default: 550).

reject_maps_rbl
Reject the request when the client network address is listed under any of the domains listed in $maps_rbl_domains. The maps_rbl_reject_code parameter specifies the response code for rejected requests (default: 550).

Require HELO (EHLO) command

The smtpd_require_helo parameter determines if clients must send a HELO (EHLO) command at the beginning of an SMTP session. Requiring this will stop some UCE software.

Default:
By default, the Postfix SMTP server does not require the use of HELO (EHLO).

Syntax:
Specify yes or no.

Example:
smtpd_require_helo = yes

HELO (EHLO) hostname restrictions

The smtpd_helo_restrictions parameter restricts what hostnames clients may send with the HELO (EHLO) command. Some UCE software can be stopped by being strict here.
Default:
By default, the Postfix SMTP server accepts any hostname.

Syntax:
Specify a list of zero or more restrictions, separated by whitespace or commas. Restrictions are applied in the order as specified; the first restriction that matches wins.

Example:
smtpd_helo_restrictions = reject_invalid_hostname

Restrictions:
permit
reject
Permit (reject) the request. This restriction is useful at the end of a restriction list, to make the default policy explicit. The reject_code configuration parameter specifies the response code to rejected requests (default: 550).

reject_unknown_client
Reject the request when the client address to name lookup failed. The unknown_client_reject_code parameter specifies the response code to rejected requests (default: 450).

permit_mynetworks
Permit the request when the client address matches any network listed in $mynetworks.

reject_invalid_hostname
Reject hostnames with bad syntax. The invalid_hostname_reject_code specifies the response code to rejected requests (default: 501).

permit_naked_ip_address
Permit the request when the client sends a naked IP address without the enclosing [] brackets that the RFC requires. Unfortunately, some popular PC mail clients send HELO greetings in this manner.

reject_unknown_hostname
Reject the request when the hostname has no DNS A or MX record. The unknown_hostname_reject_code specifies the response code to rejected requests (default: 450).

check_helo_access maptype:mapname
maptype:mapname
Search the named access database for the HELO hostname or parent domains in the specified table. Reject if result is REJECT or "[45]XX text". Permit otherwise. The access_map_reject_code parameter specifies the response code for REJECT results (default: 550).

check_client_access maptype:mapname
See client name/address restrictions.

Sender address restrictions

The smtpd_sender_restrictions parameter restricts what sender addresses this system accepts in MAIL FROM commands.

Default:
By default, the Postfix SMTP server accepts any sender address.

Syntax:
Specify a list of zero or more restrictions, separated by whitespace or commas. Restrictions are applied in the order as specified; the first restriction that matches wins.

Example:
smtpd_sender_restrictions = reject_unknown_address

Restrictions:
permit
reject
Permit (reject) the request. This restriction is useful at the end of a restriction list, to make the default policy explicit. The reject_code configuration parameter specifies the response code to rejected requests (default: 550).

reject_unknown_client
Reject the request when the client address to name lookup failed. The unknown_client_reject_code parameter specifies the response code to rejected requests (default: 450).

permit_mynetworks
Permit the request when the client address matches any network listed in $mynetworks.

reject_unknown_address
Reject the request when the sender address has no DNS A or MX record. The unknown_address_reject_code parameter specifies the response code for rejected requests (default: 450).

check_sender_access maptype:mapname
maptype:mapname
Search the named access database for the sender address, parent domain, or localpart@. Reject if the result is REJECT or "[45]XX text". Permit otherwise. The access_map_reject_code parameter specifies the result code for rejected requests (default: 550).

check_client_access maptype:mapname
See client name/address restrictions.

check_helo_access maptype:mapname
See HELO hostname restrictions.

Recipient address restrictions

The smtpd_recipient_restrictions parameter restricts what recipient addresses this system accepts in RCPT TO commands.
Default:
By default, the Postfix SMTP server forwards mail from any client that matches $mynetworks or $relay_domains, or to any destination that matches $relay_domains.

Syntax:
Specify a list of zero or more restrictions, separated by whitespace or commas. Restrictions are applied in the order as specified; the first restriction that matches wins.

Example:
smtpd_recipient_restrictions = permit_mynetworks, check_relay_domains

Restrictions:
permit
reject
Permit (reject) the request. This restriction is useful at the end of a restriction list, to make the default policy explicit. The reject_code configuration parameter specifies the response code to rejected requests (default: 550).

reject_unknown_client
Reject the request when the client address to name lookup failed. The unknown_client_reject_code parameter specifies the response code to rejected requests (default: 450).

permit_mynetworks
Permit the request when the client address matches any network listed in $mynetworks.

check_relay_domains
Permit the request when the client hostname matches $relay_domains, or when the resolved destination address matches $relay_domains, otherwise reject. The relay_domains_reject_code parameter specifies the response code for rejected requests (default: 550).

permit_mx_backup
Permit the request when the local mail system is MX host for the resolved destination. This includes the case that the local mail system is the final destination. Relevant configuration parameters: $mydestination, $inet_interfaces.

check_recipient_access maptype:mapname
maptype:mapname
Search the named access database for the resolved destination address, parent domain, or localpart@. Reject if the result is REJECT or "[45]XX text". Permit otherwise. The access_map_reject_code parameter specifies the result code for rejected requests (default: 550).

check_sender_access maptype:mapname
See sender address restrictions.

check_client_access maptype:mapname
See client name/address restrictions.

check_helo_access maptype:mapname
See HELO hostname restrictions.

Additional UCE control parameters

maps_rbl_domains
This parameter controls the behavior of the reject_maps_rbl restriction that can appear as part of a client name/address restriction list.

Default:
maps_rbl_domains = rbl.maps.vix.com

Note: RBL lookups are disabled by default.

Syntax:
Zero or more DNS domains that blacklist client addresses. A host is blacklisted when its reversed IP address is listed as a subdomain under any of the domains listed in $maps_rbl_domains.

relay_domains
This parameter controls the behavior of the check_relay_domains restriction that can appear as part of a recipient address restriction list.

Default:
relay_domains = $mydestination, $virtual_maps.

Syntax:
Specify zero or more domain names, /file/name patterns and/or type:name lookup tables, separated by whitespace and/or commas. A /file/name is replaced by its contents; type:name requests that table lookup is done instead of string comparison.

A host or destination address matches $relay_domains when its name or parent domain matches any of the names, files or lookup tables listed in $relay_domains.


Up one level | Basic Configuration | UCE Controls | Rate Controls | Resource Controls | Address Manipulation