Postfix Logo

Postfix: Blocking senders by reverse DNS hostname

Posted by

Postfix has an option for smtpd_recipient_restrictions called check_client_access. According to the Postfix manual, this:

Search the specified access database for the client hostname, parent domains, client IP address, or networks obtained by stripping least significant octets.

You can use it to block specific domains, as resolved by the RDNS of the sending IP.

First, create a map of the domains you wish to block at /etc/postfix/bad_clients. It should look something like this:

xserver.jp  REJECT
somedomain.com  REJECT

It’s important to note that the parent_domain_matches_subdomains setting changes how Postfix matches subdomains. Check the existing value with:

postconf -p | grep parent_domain_matches_subdomains

If the setting contains smtpd_access_maps then adding somedomain.com to your bad_clients file will also match something.somedomain.com. If the setting does not contain smtpd_access_maps then you will need to prefix the domains in your bad_client file with a dot in order to match subdomains (e.g. .somedomain.com).

You must now create a hash file from your bad_clients. To do this:

postmap /etc/postfix/bad_clients

Now you can add check_client_access hash:/etc/postfix/bad_clients to your Postfix main.cf smtpd_recipient_restrictions. It’s more than likely you already have smtpd_recipient_restrictions so just add to the list in the appropriate place. E.g:

smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_client_access hash:/etc/postfix/bad_clients, reject_unauth_destination, reject_maps_rbl

You’ll see it working as your mail logs will feature things like:

Client host rejected: Access denied;

Leave a Reply

Your email address will not be published. Required fields are marked *