• Admins can press the "Default" button to apply the recommended SMTPD restrictions.
• Admins can press the "Clear" button on to remove the recommended SMTPD restrictions.
• Admins can whitelist a server from these SMTPD restrictions under Warden -> Settings -> Mail Server Access -> Client Access.
Postfix allows you to specify lists of access restrictions for each stage of the SMTP conversation. More detailed documentation can be found on the Postfix website: Postfix SMTP relay and access control.
SMTPD delay reject - smtpd_delay_reject
Wait until the RCPT TO command before evaluating smtpd_client_restrictions, smtpd_helo_restrictions and smtpd_sender_restrictions, or wait until the ETRN command before evaluating smtpd_client_restrictions and smtpd_helo_restrictions.
This should always be enabled because some clients mis-behave when the Postfix SMTP server rejects commands before RCPT TO. It also allows Postfix to log recipient address information when rejecting a client name/address or sender address, so that it is possible to find out whose mail is being rejected.
Default: yes
SMTPD HELO required - smtpd_helo_required
Require that a remote SMTP client introduces itself with the HELO or EHLO command before sending the MAIL command or other commands that require EHLO negotiation. This is required when using smtpd_helo_restrictions otherwise clients would be able to bypass those restrictions.
Default: yes
SMTPD client restrictions - smtpd_client_restrictions
Restrictions that the Postfix SMTP server applies in the context of a client connection request. Mail rejected by these restrictions can be found under Logs -> Reject Log -> Client host rejected.
Default: permit_mynetworks, permit_sasl_authenticated, reject_unknown_reverse_client_hostname
SMTPD HELO restrictions - smtpd_helo_restrictions
Restrictions that the Postfix SMTP server applies in the context of a client HELO/EHLO command. Mail rejected by these restrictions can be found under Logs -> Reject Log -> Helo command rejected.
Default: permit_mynetworks, permit_sasl_authenticated, reject_invalid_helo_hostname
SMTPD sender restrictions - smtpd_sender_restrictions
Restrictions that the Postfix SMTP server applies in the context of a client MAIL FROM command. Mail rejected by these restrictions can be found under Logs -> Reject Log -> Sender address rejected.
Default: check_sender_access hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated, reject_unknown_sender_domain
SMTPD recipient restrictions - smtpd_recipient_restrictions
Restrictions that the Postfix SMTP server applies in the context of a client RCPT TO command, after smtpd_relay_restrictions. Mail rejected by these restrictions can be found under Logs -> Reject Log -> Recipient address rejected.
Default: permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unknown_recipient_domain
SMTPD data restrictions - smtpd_data_restrictions
Restrictions that the Postfix SMTP server applies in the context of the SMTP DATA command. Mail rejected by these restrictions can be found under Logs -> Reject Log -> Data command rejected.
Default: permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining
Unknown client reject code - unknown_client_reject_code
The numerical SMTP server response code when a client without valid address <=> name mapping is rejected by the reject_unknown_client restriction. The SMTP server always replies with 450 when the mapping failed due to a temporary error condition.
Default: 450
Unknown address reject code - unknown_address_reject_code
The numerical SMTP server response code when a sender or recipient address is rejected by the reject_unknown_sender_domain or reject_unknown_recipient_domain restriction.
Default: 450
SMTPD restrictions options are processed from left to right so ordering is important. The
permit_mynetworksoption is an important boundry between clients on your internal network and clients outside. Options that appear beforepermit_mynetworksapply to both internal and external clients while those afterpermit_mynetworksapply to external clients only. Thepermit_sasl_authenticatedoption is for authenticated clients sending though your server.
| Restriction | Description |
|---|---|
check_client_access cidr:/etc/postfix/client_access.cidr |
An access table containing entries with IP addresses or CIDRs. This entry will be added or removed automatically by Warden when adding or removing your first client access entry under Settings -> Mail Server Access -> Client Access. The file /etc/postfix/client_access.cidr must exist or postfix will throw hard errors. |
permit_mynetworks |
Permit a request if the client IP address matches any of the addresses listed in the mynetworks parameter. |
permit_sasl_authenticated |
Permit a request when the client is successfully authenticated via the RFC 4954 (AUTH) protocol. |
reject_rbl_client rbl.example.com |
Rejects a request if the client hostname has an A record under the specified domain. These entries are added automatically when you enable DNSBLs under Tools & Settings -> Mail Server Settings -> DNS zones for DNSBL service. |
reject_rhsbl_client rhsbl.example.com |
Rejects a request if a DNS lookup of a hostname composed of the octets of the client IP address in reverse in the specified domain lists an A record. |
reject_unknown_reverse_client_hostname |
Reject the request when the client IP address has no address->name mapping. This is a weaker restriction than reject_unknown_client_hostname, which requires not only that the address->name and name->address mappings exist, but also that the two mappings reproduce the client IP address. The unknown_client_reject_code parameter specifies the response code for rejected requests (default: 450). The reply is always 450 in case the address->name or name->address lookup failed due to a temporary problem. |
reject_unknown_client_hostname |
Reject the request when 1) the client IP address->name mapping fails, or 2) the name->address mapping fails, or 3) the name->address mapping does not match the client IP address. This is a stronger restriction than reject_unknown_reverse_client_hostname, which triggers only under the 1st condition. The unknown_client_reject_code parameter specifies the response code for rejected requests (default: 450). The reply is always 450 in case the address->name lookup failed due to a temporary problem. |
| Restriction | Description |
|---|---|
check_helo_access hash:/etc/postfix/helo_access |
An access table containing hostnames and parent domains to match against the host information supplied with the HELO command. This will be added or removed automatically by Warden when adding or removing your first helo access entry under Settings -> Mail Server Access -> HELO Access. The database file /etc/postfix/helo_access.db generated from the postmap command must exist or postfix will throw hard errors. |
permit_mynetworks |
Permit a request if the client IP address matches any of the addresses listed in the mynetworks parameter. |
permit_sasl_authenticated |
Permit a request when the client is successfully authenticated via the RFC 4954 (AUTH) protocol. |
reject_invalid_helo_hostname |
Reject the request when the HELO or EHLO hostname is malformed. The invalid_hostname_reject_code parameter specifies the response code for rejected requests (default: 501). |
reject_non_fqdn_helo_hostname |
Reject the request when the HELO or EHLO hostname is not in fully-qualified domain or address literal form, as required by the RFC. The non_fqdn_reject_code parameter specifies the response code for rejected requests (default: 504). |
| Restriction | Description |
|---|---|
check_sender_access hash:/etc/postfix/sender_access |
An access table used by Warden containing entries with email addresses, domains, and local parts to match against the address specified with the MAIL FROM command. This will be added or removed automatically by Warden when adding or removing your first sender access entry under Settings -> Mail Server Access -> Sender Access. The database file /etc/postfix/sender_access.db generated from the postmap command must exist or postfix will throw hard errors. |
check_sender_access hash:/var/spool/postfix/plesk/blacklists |
An access table used by Plesk containing domains to match against the address specified with the MAIL FROM command. These blacklists can be added under Tools & Settings -> Mail Server Settings -> Black List. |
reject_authenticated_sender_login_mismatch |
Reject the request when the client is authenticated with SASL, but either the MAIL FROM address is not listed in smtpd_sender_login_maps, or the SASL login name is not an owner for that address. This prevents an authenticated client from using a MAIL FROM address that they do not explicitly own. Important: This option recommended for experienced system administrators only. This option must be listed before the permit_sasl_authenticated entry. You must also run the command postconf -e "smtpd_sender_login_maps = hash:/var/spool/postfix/plesk/virtual" before enabling this option. See here for more information. |
permit_sasl_authenticated |
Permit a request when the client is successfully authenticated via the RFC 4954 (AUTH) protocol. |
reject_unknown_sender_domain |
Reject the request when Postfix is not the final destination for the sender address, and the MAIL FROM domain has 1) no DNS MX and no DNS A record or 2) a malformed MX record such as a record with a zero-length MX hostname. The reply is specified with the unknown_address_reject_code parameter (default: 450), unknown_address_tempfail_action (default: defer_if_permit), or 550 (nullmx, Postfix 3.0 and later). |
reject_non_fqdn_sender |
Reject the request when the MAIL FROM address specifies a domain that is not in fully-qualified domain form as required by the RFC. The non_fqdn_reject_code parameter specifies the response code for rejected requests (default: 504). |
| Restriction | Description |
|---|---|
check_recipient_access hash:/etc/postfix/recipient_access |
An access table used by Warden containing entries with email addresses, domains, and local parts to match against the address specified with the RCPT TO command. This will be added or removed automatically by Warden when adding or removing your first recepient access entry under Settings -> Mail Server Access -> Recipient Access. The database file /etc/postfix/recipient_access.db generated from the postmap command must exist or postfix will throw hard errors. |
permit_mynetworks |
Permit a request if the client IP address matches any of the addresses listed in the mynetworks parameter. |
permit_sasl_authenticated |
Permit a request when the client is successfully authenticated via the RFC 4954 (AUTH) protocol. |
reject_unauth_destination |
Rejects a request if the Postfix system is not the final resolved destination email address or a relay for the final destination. This entry is required and prevents your system from being an open relay. |
reject_unknown_recipient_domain |
Reject the request when Postfix is not final destination for the recipient domain, and the RCPT TO domain has 1) no DNS MX and no DNS A record or 2) a malformed MX record such as a record with a zero-length MX hostname. The reply is specified with the unknown_address_reject_code parameter (default: 450), unknown_address_tempfail_action (default: defer_if_permit), or 556 (nullmx, Postfix 3.0 and later). |
reject_non_fqdn_recipient |
Reject the request when the RCPT TO address specifies a domain that is not in fully-qualified domain form, as required by the RFC. The non_fqdn_reject_code parameter specifies the response code for rejected requests (default: 504). |
| Restriction | Description |
|---|---|
permit_mynetworks |
Permit a request if the client IP address matches any of the addresses listed in the mynetworks parameter. |
permit_sasl_authenticated |
Permit a request when the client is successfully authenticated via the RFC 4954 (AUTH) protocol. |
reject_unauth_pipelining |
Reject the request when the client sends SMTP commands ahead of time where it is not allowed, or when the client sends SMTP commands ahead of time without knowing that Postfix actually supports ESMTP command pipelining. This stops mail from bulk mail software that improperly uses ESMTP command pipelining in order to speed up deliveries. |
reject_multi_recipient_bounce |
Reject the request when the envelope sender is the null address, and the message has multiple envelope recipients. The multi_recipient_bounce_reject_code parameter specifies the response code for rejected requests (default: 550). |
• It is recommended that users setup a local DNS recolver to speed up DNS queries. See here for more information.
• Do not use the RBLzen.spamhaus.orgif your server uses public DNS resolvers like Google, Quad9, Cloudflare DNS or via any DNS server that is attempting a high volume of queries against Spamhaus without being registered with them. If you do, you risk the queries triggering blocks simply due to the sheer volume of DNS traffic Spamhaus is receiving. Meaning you'll end up blocking mail that wasn't spam and that you probably didn't mean to block. See here for more information.
• Admins can whitelist a server from these DNSBLs under Warden -> Settings -> Mail Server Access -> Client Access. See here for more information.
dnsbl - dnsbl
Enable or disable the spam protection based on DNS blackhole lists.
Default: 0
dnsbl_sites - dnsbl_sites
A list of DNS block lists to use for spam protection.
Default: empty
| DNSBL | Maintainer | Usage Policy | Description | Recommended |
|---|---|---|---|---|
| zen.spamhaus.org | spamhaus.org | Usage | ZEN is the combination of all Spamhaus IP-based DNSBLs into one single powerful and comprehensive blocklist to make querying faster and simpler. It contains the SBL, SBLCSS, XBL and PBL blocklists. Note: Do not use if you are using public DNS resolvers. | yes |
| b.barracudacentral.org | barracudacentral.org | Starting in September 2008, Barracuda Networks introduced the Barracuda Reputation Block List as a free DNSBL of IP addresses known to send spam. | yes | |
| psbl.surriel.com | Passive Spam Block List | An easy-on, easy-off blacklist that doesn't rely on testing and should reduce false positives because any user can remove their ISP's mail server from the list. | yes | |
| spam.spamrats.com | spamrats.com | Usage | SpamRATS is one of the industry's leading IP Reputation lists providing RBL (Real-Time Blackhole lists) services and data feeds. Note: This is very strict and may have false positives. | |
| bl.spamcop.net | spamcop.net | SpamCop is the premier service for reporting spam. SpamCop determines the origin of unwanted email and reports it to the relevant Internet service providers. By reporting spam, you have a positive impact on the problem. Note: May have false positivies with Microsft Office 365 servers. | ||
| bl.mailspike.net | mailspike.io | Usage | Mailspike.org is a free IP Blocklist lookup service by MailSpike, the makers of Anubisnetworks Email Security Services. Note: This is very strict and may have false positives. | |
| ix.dnsbl.manitu.net | nixspam.net | This DNSBL has been discontinued. Do not use! |
• Before enabling Postscreen make sure that all your clients are sending using the outgoing submission port 587 or SMTPS port 465 as they will no longer be able to send mail on the incoming port 25.
• Enabling Postscreen will automatically enable the submission port (587) if it is not currently enabled.
Postscreen blocks connections from zombies and other spambots that are responsible for about 90% of all spam. It is implemented as a single process to make this defense as inexpensive as possible. More information about Postscreen can be found here.
postscreen - postscreen
Enable or disable the Postscreen spambot protection service. Remember that mail clients will not be permitted to send
though port 25 when Postscreen is enabled so make sure that all of your mail clients are sending using the submission
port 587 before enabling it.
Default: 0
postscreen_dnsbl_sites - postscreen_dnsbl_sites
A list of DNS white/blacklist domains, filters and weight factors. When the list is non-empty, the dnsblog daemon will
query these domains with the IP addresses of remote SMTP clients, and postscreen will update an SMTP clients DNSBL score
with each non-error reply. Caution: when postscreen rejects mail, it replies with the DNSBL domain name. Use the
postscreen_dnsbl_reply_map feature to hide API key information in DNSBL domain names.
Default: empty
postscreen_access_list - postscreen_access_list
A permanent allow/denylist for remote SMTP client IP addresses.
Default: permit_mynetworks
postscreen_blacklist_action - postscreen_blacklist_action
The action that postscreen takes when an SMTP client is permanently denied with the Postcreen access list.
Default: enforce
postscreen_greet_action - postscreen_greet_action
The action that postscreen takes when an SMTP client speaks before its turn within the time specified.
Default: enforce
postscreen_dnsbl_action - postscreen_dnsbl_action
The action that postscreen takes when an SMTP clients combined DNSBL score is equal to or greater than a threshold.
Default: enforce
postscreen_dnsbl_reply_map - postscreen_dnsbl_reply_map
A mapping from an actual DNSBL domain name which includes a secret password or API key, to the DNSBL domain name that
postscreen will reply with when it rejects mail. When no mapping is found, the actual DNSBL domain will be used. For
maximal stability it is best to use a file that is read into memory such as pcre:, regexp: or texthash:
Default: empty
postscreen_dnsbl_threshold - postscreen_dnsbl_threshold
The inclusive lower bound for blocking an SMTP client, based on its combined DNSBL score as defined with the
postscreen_dnsbl_sites parameter.
Default: 1
postscreen_dnsbl_whitelist_threshold - postscreen_dnsbl_whitelist_threshold
Allow a remote SMTP client to skip "before" and "after 220 greeting" protocol tests, based on its combined DNSBL score
as defined with the postscreen_dnsbl_sites parameter. Specify a negative value to enable this feature. When a client
passes the postscreen_dnsbl_allowlist_threshold without having failed other tests, all pending or disabled tests are
flagged as completed with an expiration time based on the DNS reply TTL. When a test was already completed, its
expiration time is updated if it was less than the value based on the DNS reply TTL.
Default: 0