rob0's postscreen(8) configuration

BIG FAT WARNING

The purpose of this document is to supplement, but not to replace, the Postfix Postscreen Howto, by showing a real-world example of what can be done with DNSBL scoring.

The DNSBL sites and scores I use are ones I can recommend for general usage. But in all cases, one should never use a DNSBL unless one is familiar with its policies: purpose, listing, removal, and usage. Links are provided inline for your convenience.

Check those links!!

If you had followed the previous version of this document without checking the DNSBL sites, you would have had a crippled mail server, because one of the sites I used in 2013 was closed in 2014, with a wildcard listing added in 2015.

The sample configuration below requires Postfix 2.11+, and in fact, I highly recommend to stay with the latest stable release. Do not complain to me if you're on 2.10, 2.9 or earlier. Upgrade.

Postscreen usage generally precludes the use of port 25 for users' mail submission, especially with the after-220 or "deep protocol" tests enabled as I have done. Move your users to submission (port 587, see the commented example in your master.cf file), or provide them with a separate IP address to use if you can't force them off of port 25.

The after-220 or "deep protocol" tests are specially flagged below! DO NOT enable them unless you understand what will happen: namely that some mail will be delayed!

If you don't understand these warnings, there's a good chance that you are not ready to run a serious mail server. Do consider the standard general advice of "learn to walk before you try to run."

If you don't heed these warnings, you might get what you deserve.

You have been WARNED.

Do with it what you will.

DNSBL Scoring System

I use a three-tier system augmented (or undermined, perhaps) by the use of DNS whitelists.

DNSBL Tier Meaning
Tier 1 Block with this site alone
Tier 2 Block with this site and any other
Tier 3 Block with this site and two others
DNSWL Tier Subtract from the DNSBL score

At this time, Spamhaus Zen is my only Tier 1 site, scored at the threshold score of 3. BRBL and SEM are Tier 2, scored as 2.

The Spamhaus whitelist (SWL) is given a fixed score of -4, enough to offset two Tier 2 lists or four in Tier 3. Spamhaus says that a Zen- listed IP address will never appear in the SWL, so there is no need to offset Tier 1 scores. I'm not sure I'd want to anyway. If that many sites are complaining about spam from that IP, they're probably right.

DNSWL.org itself has trust levels. I score their trust level "none" as a -2; "low" as -3, and "medium" or "high" as -4.

In actual usage, whitelisting is not very important for scoring. I have not yet found a SWL-listed host in any DNSBL. DNSWL "none" hosts, particularly return code 127.0.15.0, "Email Marketing Providers", are sometimes found in DNSBLs, and sometimes even enough to overcome the -2 score. The higher the trust level, the less likely to be listed. The only "high" trust level host I have ever seen with offsetting DNSBL hits was vger.kernel.org[209.132.180.67], which I suppose gets listed because some of the mailing lists there reflect some spam occasionally. But I would not want nor expect postscreen to protect against such spam.

The real benefit of whitelisting is the Postfix 2.11+ feature of postscreen_dnsbl_whitelist_threshold. Before this feature, Gmail in particular could be a problem. Gmail outbound hosts always pass their unsuccessful deliveries to another host in their farm; you will never see a retry coming from the same host (which you have now whitelisted after their pass through postscreen's after-220 tests.) Fortunately, all Gmail outbound hosts are listed in DNSWL.org.

Last updated: 2017-07-06

Last changes:

Older changes: updated postscreen_dnsbl_reply_map and the comments therein to reflect the behavior of newer postscreen/dnsblog versions; removal of discontinued TRBL list, lowered DNSWL negative scores, added warnings and explanations, especially about the after-220 tests

# postscreen(8) settings
### Before-220 tests
postscreen_access_list =
        permit_mynetworks, cidr:/etc/postfix/postscreen_access.cidr
postscreen_blacklist_action = drop
postscreen_dnsbl_action = enforce
postscreen_dnsbl_reply_map =
        pcre:$config_directory/postscreen_dnsbl_reply_map.pcre
postscreen_dnsbl_sites = zen.spamhaus.org*3
        b.barracudacentral.org*2
        bl.spameatingmonkey.net*2
        bl.spamcop.net
        dnsbl.sorbs.net
        psbl.surriel.com
        bl.mailspike.net
        list.dnswl.org=127.0.[0..255].0*-2
        list.dnswl.org=127.0.[0..255].1*-3
        list.dnswl.org=127.0.[0..255].[2..3]*-4
	#swl.spamhaus.org*-4
postscreen_dnsbl_threshold = 3
postscreen_greet_action = enforce
postscreen_whitelist_interfaces = 207.223.116.211 !207.223.116.208/29
        !216.23.247.72/29 static:all
### This is the killer feature of Postfix 2.11 and later, which
### removes most of the pain associated with the after-220 tests, q.v.
### When a connecting host is at or below this score, the after-220
### tests are bypassed.
postscreen_dnsbl_whitelist_threshold = -1
### End of before-220 tests
### After-220 tests
### WARNING -- See "Tests after the 220 SMTP server greeting" in the
### Postscreen Howto and *UNDERSTAND* it *BEFORE* you enable the
### following tests!
postscreen_bare_newline_action = enforce
postscreen_bare_newline_enable = yes
postscreen_non_smtp_command_enable = yes
postscreen_pipelining_enable = yes
### ADDENDUM: Any one of the foregoing three *_enable settings may cause
### significant and annoying mail delays.

Note: postscreen_access.cidr below has dates which show how little it has been needed over time, since I implemented postscreen in February 2011. I probably should purge those eventually.

rob0@harrier:~$ for X in /etc/postfix/postscreen_* ; do echo ${X}: ; cat $X ; echo ; done
/etc/postfix/postscreen_access.cidr:
# /etc/postfix/postscreen_access.cidr 2011-02-27
# A simple combined white/blacklist
# Only "permit", "reject" and "dunno" work on the RHS
# This is a CIDR table, so see cidr_table(5) for LHS syntax

# Erik for slackbuilds
208.94.238.114/31		permit
# 2011-05-17 brute force attack
# May 17 05:35:14 cardinal postfix/anvil[3667]: statistics: max
# connection count 47 for (smtpd:66.23.228.27) at May 17 05:31:38
66.23.228.27			reject
# a lot from here including some DBL hits
108.62.112.160/29		reject
# 2011-08-09 eWayDirect whitelisted, but hitting spamtraps
# was having PREGREET protocol errors before today
207.45.161.0/24			reject
##
# 2011-11-22 brute force mail attacks, smtp and imap
61.175.253.59			reject
# 2012-09-23 spammer not in DNSBLs
66.7.197.45			reject
# 2012-11-19 hillapex.com spammer
184.173.107.11			reject

/etc/postfix/postscreen_dnsbl_reply_map.pcre:
# postscreen_dnsbl_reply_map - 2011-07-14
# We will be rejecting much mail which is listed in multiple DNSBLs.
# We're not proud of some of the lists we are using, thus have given
# them lower scores in postscreen_dnsbl_sites listing. So this checks
# the DNSBL name postscreen(8) gets from dnsblog(8), and if it's not
# one of our Tier 1 DNSBL sites, it changes what the sender will see:

#/^b\.barracudacentral\.org$/	b.barracudacentral.org
#/^bl\.spameatingmonkey\.net$/	bl.spameatingmonkey.net
!/^zen\.spamhaus\.org$/		multiple DNS-based blocklists

# In earlier versions, a random name, the first one logged, is what
# postscreen was given. Now it seems to get the highest-scored DNSBL.