rob0's postscreen(8) configuration


The purpose of this document is to supplement, but not to replace, the Postfix Postscreen Howto, by showing a real-world example of what can be done with DNSBL scoring.

The DNSBL sites and scores I use are ones I can recommend for general usage. But in all cases, one should never use a DNSBL unless one is familiar with its policies: purpose, listing, removal, and usage. Links are provided inline for your convenience.

Postscreen usage generally precludes the use of port 25 for users' mail submission, especially with the after-220 or "deep protocol" tests enabled as I have done. Move your users to submission (port 587, see the commented example in your file), or provide them with a separate IP address to use if you can't force them off of port 25.

The after-220 or "deep protocol" tests are specially flagged below! DO NOT enable them unless you understand what will happen: namely that some mail will be delayed!

If you don't understand these warnings, there's a good chance that you are not ready to run a serious mail server. Do consider the standard general advice of "learn to walk before you try to run."

If you don't heed these warnings, you might get what you deserve.

You have been WARNED.

Do with it what you will.

DNSBL Scoring System

I use a three-tier system augmented (or undermined, perhaps) by the use of DNS whitelists.

DNSBL Tier Meaning
Tier 1 Block with this site alone
Tier 2 Block with this site and any other
Tier 3 Block with this site and two others
DNSWL Tier Subtract from the DNSBL score

At this time, Spamhaus Zen is my only Tier 1 site, scored at the threshold score of 3. BRBL, SEM and AHBL are Tier 2, scored as 2.

The Spamhaus whitelist (SWL) is given a fixed score of -4, enough to offset two Tier 2 lists or four in Tier 3. Spamhaus says that a Zen- listed IP address will never appear in the SWL, so there is no need to offset Tier 1 scores. I'm not sure I'd want to anyway. If that many sites are complaining about spam from that IP, they're probably right. itself has trust levels. I score their trust level "none" as a -2; "low" as -3, and "medium" or "high" as -4.

In actual usage, whitelisting is not very important. I have not yet found a SWL-listed host in any DNSBL. DNSWL "none" hosts, particularly return code, "Email Marketing Providers", are sometimes found in DNSBLs, and sometimes even enough to overcome the -2 score. The higher the trust level, the less likely to be listed. The only "high" trust level host I have ever seen with offsetting DNSBL hits was[], which I suppose gets listed because some of the mailing lists there reflect some spam occasionally. But I would not want nor expect postscreen to protect against such spam.

Last updated: 2013-05-07

Last changes: updated postscreen_dnsbl_reply_map and the comments therein to reflect the behavior of newer postscreen/dnsblog versions

Older changes: removal of discontinued TRBL list, lowered DNSWL negative scores, added warnings and explanations, especially about the after-220 tests

# postscreen(8) settings
### Before-220 tests
postscreen_access_list =
        permit_mynetworks, cidr:/etc/postfix/postscreen_access.cidr
postscreen_blacklist_action = drop
postscreen_dnsbl_action = enforce
postscreen_dnsbl_reply_map =
postscreen_dnsbl_sites =*3*2*2*2*-4[0..255].[0..255].0*-2[0..255].[0..255].1*-3[0..255].[0..255].[2..255]*-4
postscreen_dnsbl_threshold = 3
postscreen_greet_action = enforce
postscreen_whitelist_interfaces = !
        ! static:all
### End of before-220 tests
### After-220 tests
### WARNING -- See "Tests after the 220 SMTP server greeting" in the
### Postscreen Howto and *UNDERSTAND* it *BEFORE* you enable the
### following tests!
postscreen_bare_newline_action = enforce
postscreen_bare_newline_enable = yes
postscreen_non_smtp_command_enable = yes
postscreen_pipelining_enable = yes
### ADDENDUM: Any one of the foregoing three *_enable settings may cause
### significant and annoying mail delays.

Note: postscreen_access.cidr below has dates which show how little it has been needed over time, since I implemented postscreen in February 2011. I probably should purge those eventually.

rob0@harrier:~$ for X in /etc/postfix/postscreen_* ; do echo ${X}: ; cat $X ; echo ; done
# /etc/postfix/postscreen_access.cidr 2011-02-27
# A simple combined white/blacklist
# Only "permit", "reject" and "dunno" work on the RHS
# This is a CIDR table, so see cidr_table(5) for LHS syntax

# Erik for slackbuilds		permit
# 2011-05-17 brute force attack
# May 17 05:35:14 cardinal postfix/anvil[3667]: statistics: max
# connection count 47 for (smtpd: at May 17 05:31:38			reject
# a lot from here including some DBL hits		reject
# 2011-08-09 eWayDirect whitelisted, but hitting spamtraps
# was having PREGREET protocol errors before today			reject
# 2011-11-22 brute force mail attacks, smtp and imap			reject
# 2012-09-23 spammer not in DNSBLs			reject
# 2012-11-19 spammer			reject

# postscreen_dnsbl_reply_map - 2011-07-14
# We will be rejecting much mail which is listed in multiple DNSBLs.
# We're not proud of some of the lists we are using, thus have given
# them lower scores in postscreen_dnsbl_sites listing. So this checks
# the DNSBL name postscreen(8) gets from dnsblog(8), and if it's not
# one of our Tier 1 DNSBL sites, it changes what the sender will see:

!/^zen\.spamhaus\.org$/		multiple DNS-based blocklists

# In earlier versions, a random name, the first one logged, is what
# postscreen was given. Now it seems to get the highest-scored DNSBL.