Mail Server Settings

• Admins can press the "Default" button to apply the recommended SMTPD restrictions.
• Admins can press the "Clear" button on to remove the recommended SMTPD restrictions.
• Admins can whitelist a server from these SMTPD restrictions under Warden -> Settings -> Mail Server Access -> Client Access.

Postfix allows you to specify lists of access restrictions for each stage of the SMTP conversation. More detailed documentation can be found on the Postfix website: Postfix SMTP relay and access control.

SMTPD delay reject - smtpd_delay_reject
Wait until the RCPT TO command before evaluating smtpd_client_restrictions, smtpd_helo_restrictions and smtpd_sender_restrictions, or wait until the ETRN command before evaluating smtpd_client_restrictions and smtpd_helo_restrictions. This should always be enabled because some clients mis-behave when the Postfix SMTP server rejects commands before RCPT TO. It also allows Postfix to log recipient address information when rejecting a client name/address or sender address, so that it is possible to find out whose mail is being rejected.
Default: yes

SMTPD HELO required - smtpd_helo_required
Require that a remote SMTP client introduces itself with the HELO or EHLO command before sending the MAIL command or other commands that require EHLO negotiation. This is required when using smtpd_helo_restrictions otherwise clients would be able to bypass those restrictions.
Default: yes

SMTPD client restrictions - smtpd_client_restrictions
Restrictions that the Postfix SMTP server applies in the context of a client connection request. Mail rejected by these restrictions can be found under Logs -> Reject Log -> Client host rejected.
Default: permit_mynetworks, permit_sasl_authenticated, reject_unknown_reverse_client_hostname

SMTPD HELO restrictions - smtpd_helo_restrictions
Restrictions that the Postfix SMTP server applies in the context of a client HELO/EHLO command. Mail rejected by these restrictions can be found under Logs -> Reject Log -> Helo command rejected.
Default: permit_mynetworks, permit_sasl_authenticated, reject_invalid_helo_hostname

SMTPD sender restrictions - smtpd_sender_restrictions
Restrictions that the Postfix SMTP server applies in the context of a client MAIL FROM command. Mail rejected by these restrictions can be found under Logs -> Reject Log -> Sender address rejected.
Default: check_sender_access hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated, reject_unknown_sender_domain

SMTPD recipient restrictions - smtpd_recipient_restrictions
Restrictions that the Postfix SMTP server applies in the context of a client RCPT TO command, after smtpd_relay_restrictions. Mail rejected by these restrictions can be found under Logs -> Reject Log -> Recipient address rejected. Default: permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unknown_recipient_domain

SMTPD data restrictions - smtpd_data_restrictions
Restrictions that the Postfix SMTP server applies in the context of the SMTP DATA command. Mail rejected by these restrictions can be found under Logs -> Reject Log -> Data command rejected.
Default: permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining

Unknown client reject code - unknown_client_reject_code
The numerical SMTP server response code when a client without valid address <=> name mapping is rejected by the reject_unknown_client restriction. The SMTP server always replies with 450 when the mapping failed due to a temporary error condition.
Default: 450

Unknown address reject code - unknown_address_reject_code
The numerical SMTP server response code when a sender or recipient address is rejected by the reject_unknown_sender_domain or reject_unknown_recipient_domain restriction.
Default: 450

SMTPD Restrictions

SMTPD restrictions options are processed from left to right so ordering is important. The permit_mynetworks option is an important boundry between clients on your internal network and clients outside. Options that appear before permit_mynetworks apply to both internal and external clients while those after permit_mynetworks apply to external clients only. The permit_sasl_authenticated option is for authenticated clients sending though your server.

SMTPD client restrictions

Restriction Description
check_client_access cidr:/etc/postfix/client_access.cidr An access table containing entries with IP addresses or CIDRs. This entry will be added or removed automatically by Warden when adding or removing your first client access entry under Settings -> Mail Server Access -> Client Access. The file /etc/postfix/client_access.cidr must exist or postfix will throw hard errors.
permit_mynetworks Permit a request if the client IP address matches any of the addresses listed in the mynetworks parameter.
permit_sasl_authenticated Permit a request when the client is successfully authenticated via the RFC 4954 (AUTH) protocol.
reject_rbl_client rbl.example.com Rejects a request if the client hostname has an A record under the specified domain. These entries are added automatically when you enable DNSBLs under Tools & Settings -> Mail Server Settings -> DNS zones for DNSBL service.
reject_rhsbl_client rhsbl.example.com Rejects a request if a DNS lookup of a hostname composed of the octets of the client IP address in reverse in the specified domain lists an A record.
reject_unknown_reverse_client_hostname Reject the request when the client IP address has no address->name mapping. This is a weaker restriction than reject_unknown_client_hostname, which requires not only that the address->name and name->address mappings exist, but also that the two mappings reproduce the client IP address. The unknown_client_reject_code parameter specifies the response code for rejected requests (default: 450). The reply is always 450 in case the address->name or name->address lookup failed due to a temporary problem.
reject_unknown_client_hostname Reject the request when 1) the client IP address->name mapping fails, or 2) the name->address mapping fails, or 3) the name->address mapping does not match the client IP address. This is a stronger restriction than reject_unknown_reverse_client_hostname, which triggers only under the 1st condition. The unknown_client_reject_code parameter specifies the response code for rejected requests (default: 450). The reply is always 450 in case the address->name lookup failed due to a temporary problem.

SMTPD HELO restrictions

Restriction Description
check_helo_access hash:/etc/postfix/helo_access An access table containing hostnames and parent domains to match against the host information supplied with the HELO command. This will be added or removed automatically by Warden when adding or removing your first helo access entry under Settings -> Mail Server Access -> HELO Access. The database file /etc/postfix/helo_access.db generated from the postmap command must exist or postfix will throw hard errors.
permit_mynetworks Permit a request if the client IP address matches any of the addresses listed in the mynetworks parameter.
permit_sasl_authenticated Permit a request when the client is successfully authenticated via the RFC 4954 (AUTH) protocol.
reject_invalid_helo_hostname Reject the request when the HELO or EHLO hostname is malformed. The invalid_hostname_reject_code parameter specifies the response code for rejected requests (default: 501).
reject_non_fqdn_helo_hostname Reject the request when the HELO or EHLO hostname is not in fully-qualified domain or address literal form, as required by the RFC. The non_fqdn_reject_code parameter specifies the response code for rejected requests (default: 504).

SMTPD sender restrictions

Restriction Description
check_sender_access hash:/etc/postfix/sender_access An access table used by Warden containing entries with email addresses, domains, and local parts to match against the address specified with the MAIL FROM command. This will be added or removed automatically by Warden when adding or removing your first sender access entry under Settings -> Mail Server Access -> Sender Access. The database file /etc/postfix/sender_access.db generated from the postmap command must exist or postfix will throw hard errors.
check_sender_access hash:/var/spool/postfix/plesk/blacklists An access table used by Plesk containing domains to match against the address specified with the MAIL FROM command. These blacklists can be added under Tools & Settings -> Mail Server Settings -> Black List.
reject_authenticated_sender_login_mismatch Reject the request when the client is authenticated with SASL, but either the MAIL FROM address is not listed in smtpd_sender_login_maps, or the SASL login name is not an owner for that address. This prevents an authenticated client from using a MAIL FROM address that they do not explicitly own. Important: This option recommended for experienced system administrators only. This option must be listed before the permit_sasl_authenticated entry. You must also run the command postconf -e "smtpd_sender_login_maps = hash:/var/spool/postfix/plesk/virtual" before enabling this option. See here for more information.
permit_sasl_authenticated Permit a request when the client is successfully authenticated via the RFC 4954 (AUTH) protocol.
reject_unknown_sender_domain Reject the request when Postfix is not the final destination for the sender address, and the MAIL FROM domain has 1) no DNS MX and no DNS A record or 2) a malformed MX record such as a record with a zero-length MX hostname. The reply is specified with the unknown_address_reject_code parameter (default: 450), unknown_address_tempfail_action (default: defer_if_permit), or 550 (nullmx, Postfix 3.0 and later).
reject_non_fqdn_sender Reject the request when the MAIL FROM address specifies a domain that is not in fully-qualified domain form as required by the RFC. The non_fqdn_reject_code parameter specifies the response code for rejected requests (default: 504).

SMTPD recipient restrictions

Restriction Description
check_recipient_access hash:/etc/postfix/recipient_access An access table used by Warden containing entries with email addresses, domains, and local parts to match against the address specified with the RCPT TO command. This will be added or removed automatically by Warden when adding or removing your first recepient access entry under Settings -> Mail Server Access -> Recipient Access. The database file /etc/postfix/recipient_access.db generated from the postmap command must exist or postfix will throw hard errors.
permit_mynetworks Permit a request if the client IP address matches any of the addresses listed in the mynetworks parameter.
permit_sasl_authenticated Permit a request when the client is successfully authenticated via the RFC 4954 (AUTH) protocol.
reject_unauth_destination Rejects a request if the Postfix system is not the final resolved destination email address or a relay for the final destination. This entry is required and prevents your system from being an open relay.
reject_unknown_recipient_domain Reject the request when Postfix is not final destination for the recipient domain, and the RCPT TO domain has 1) no DNS MX and no DNS A record or 2) a malformed MX record such as a record with a zero-length MX hostname. The reply is specified with the unknown_address_reject_code parameter (default: 450), unknown_address_tempfail_action (default: defer_if_permit), or 556 (nullmx, Postfix 3.0 and later).
reject_non_fqdn_recipient Reject the request when the RCPT TO address specifies a domain that is not in fully-qualified domain form, as required by the RFC. The non_fqdn_reject_code parameter specifies the response code for rejected requests (default: 504).

SMTPD data Restrictions

Restriction Description
permit_mynetworks Permit a request if the client IP address matches any of the addresses listed in the mynetworks parameter.
permit_sasl_authenticated Permit a request when the client is successfully authenticated via the RFC 4954 (AUTH) protocol.
reject_unauth_pipelining Reject the request when the client sends SMTP commands ahead of time where it is not allowed, or when the client sends SMTP commands ahead of time without knowing that Postfix actually supports ESMTP command pipelining. This stops mail from bulk mail software that improperly uses ESMTP command pipelining in order to speed up deliveries.
reject_multi_recipient_bounce Reject the request when the envelope sender is the null address, and the message has multiple envelope recipients. The multi_recipient_bounce_reject_code parameter specifies the response code for rejected requests (default: 550).

DNSBLs

• It is recommended that users setup a local DNS recolver to speed up DNS queries. See here for more information.
• Do not use the RBL zen.spamhaus.org if your server uses public DNS resolvers like Google, Quad9, Cloudflare DNS or via any DNS server that is attempting a high volume of queries against Spamhaus without being registered with them. If you do, you risk the queries triggering blocks simply due to the sheer volume of DNS traffic Spamhaus is receiving. Meaning you'll end up blocking mail that wasn't spam and that you probably didn't mean to block. See here for more information.
• Admins can whitelist a server from these DNSBLs under Warden -> Settings -> Mail Server Access -> Client Access. See here for more information.

DNSBL Maintainer Usage Policy Description Recommended
zen.spamhaus.org spamhaus.org Usage ZEN is the combination of all Spamhaus IP-based DNSBLs into one single powerful and comprehensive blocklist to make querying faster and simpler. It contains the SBL, SBLCSS, XBL and PBL blocklists. Note: Do not use if you are using public DNS resolvers. yes
b.barracudacentral.org barracudacentral.org Starting in September 2008, Barracuda Networks introduced the Barracuda Reputation Block List as a free DNSBL of IP addresses known to send spam. yes
psbl.surriel.com Passive Spam Block List An easy-on, easy-off blacklist that doesn't rely on testing and should reduce false positives because any user can remove their ISP's mail server from the list. yes
spam.spamrats.com spamrats.com Usage SpamRATS is one of the industry's leading IP Reputation lists providing RBL (Real-Time Blackhole lists) services and data feeds. Note: This is very strict and may have false positives.
bl.spamcop.net spamcop.net SpamCop is the premier service for reporting spam. SpamCop determines the origin of unwanted email and reports it to the relevant Internet service providers. By reporting spam, you have a positive impact on the problem. Note: May have false positivies with Microsft Office 365 servers.
bl.mailspike.net mailspike.io Usage Mailspike.org is a free IP Blocklist lookup service by MailSpike, the makers of Anubisnetworks Email Security Services. Note: This is very strict and may have false positives.
ix.dnsbl.manitu.net nixspam.net This publicly available DNS blacklist is permanently regenerated by the NiX Spam project of the German IT magazine iX. It contains IP addresses of spam senders and hash values (fuzzy checksums) of incoming spam.

Related Pages