Mail Server Settings

• Admins can press the "Default" button to apply the recommended SMTPD restrictions.
• Admins can press the "Clear" button on to remove the recommended SMTPD restrictions.
• Admins can whitelist a server from these SMTPD restrictions under Warden -> Settings -> Mail Server Access -> Client Access.

Postfix allows you to specify lists of access restrictions for each stage of the SMTP conversation. More detailed documentation can be found on the Postfix website: Postfix SMTP relay and access control.

SMTPD delay reject - smtpd_delay_reject
Wait until the RCPT TO command before evaluating smtpd_client_restrictions, smtpd_helo_restrictions and smtpd_sender_restrictions, or wait until the ETRN command before evaluating smtpd_client_restrictions and smtpd_helo_restrictions. This should always be enabled because some clients mis-behave when the Postfix SMTP server rejects commands before RCPT TO. It also allows Postfix to log recipient address information when rejecting a client name/address or sender address, so that it is possible to find out whose mail is being rejected.
Default: yes

SMTPD HELO required - smtpd_helo_required
Require that a remote SMTP client introduces itself with the HELO or EHLO command before sending the MAIL command or other commands that require EHLO negotiation. This is required when using smtpd_helo_restrictions otherwise clients would be able to bypass those restrictions.
Default: yes

SMTPD client restrictions - smtpd_client_restrictions
Restrictions that the Postfix SMTP server applies in the context of a client connection request. Mail rejected by these restrictions can be found under Logs -> Reject Log -> Client host rejected.
Default: permit_mynetworks, permit_sasl_authenticated, reject_unknown_reverse_client_hostname

SMTPD HELO restrictions - smtpd_helo_restrictions
Restrictions that the Postfix SMTP server applies in the context of a client HELO/EHLO command. Mail rejected by these restrictions can be found under Logs -> Reject Log -> Helo command rejected.
Default: permit_mynetworks, permit_sasl_authenticated, reject_invalid_helo_hostname

SMTPD sender restrictions - smtpd_sender_restrictions
Restrictions that the Postfix SMTP server applies in the context of a client MAIL FROM command. Mail rejected by these restrictions can be found under Logs -> Reject Log -> Sender address rejected.
Default: check_sender_access hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated, reject_unknown_sender_domain

SMTPD recipient restrictions - smtpd_recipient_restrictions
Restrictions that the Postfix SMTP server applies in the context of a client RCPT TO command, after smtpd_relay_restrictions. Mail rejected by these restrictions can be found under Logs -> Reject Log -> Recipient address rejected. Default: permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unknown_recipient_domain

SMTPD data restrictions - smtpd_data_restrictions
Restrictions that the Postfix SMTP server applies in the context of the SMTP DATA command. Mail rejected by these restrictions can be found under Logs -> Reject Log -> Data command rejected.
Default: permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining

Unknown client reject code - unknown_client_reject_code
The numerical SMTP server response code when a client without valid address <=> name mapping is rejected by the reject_unknown_client restriction. The SMTP server always replies with 450 when the mapping failed due to a temporary error condition.
Default: 450

Unknown address reject code - unknown_address_reject_code
The numerical SMTP server response code when a sender or recipient address is rejected by the reject_unknown_sender_domain or reject_unknown_recipient_domain restriction.
Default: 450

SMTPD Restrictions

SMTPD restrictions options are processed from left to right so ordering is important. The permit_mynetworks option is an important boundry between clients on your internal network and clients outside. Options that appear before permit_mynetworks apply to both internal and external clients while those after permit_mynetworks apply to external clients only. The permit_sasl_authenticated option is for authenticated clients sending though your server.

SMTPD client restrictions

SMTPD HELO restrictions

SMTPD sender restrictions

SMTPD recipient restrictions

SMTPD data Restrictions

DNSBLs

• It is recommended that users setup a local DNS recolver to speed up DNS queries. See here for more information.
• Do not use the RBL zen.spamhaus.org if your server uses public DNS resolvers like Google, Quad9, Cloudflare DNS or via any DNS server that is attempting a high volume of queries against Spamhaus without being registered with them. If you do, you risk the queries triggering blocks simply due to the sheer volume of DNS traffic Spamhaus is receiving. Meaning you'll end up blocking mail that wasn't spam and that you probably didn't mean to block. See here for more information.
• Admins can whitelist a server from these DNSBLs under Warden -> Settings -> Mail Server Access -> Client Access. See here for more information.

dnsbl - dnsbl
Enable or disable the spam protection based on DNS blackhole lists.
Default: 0

dnsbl_sites - dnsbl_sites
A list of DNS block lists to use for spam protection.
Default: empty

Postscreen

• Use the following KB article for detailed information on how to set up and use Postscreen: https://www.danami.com/clients/knowledgebase/292/How-can-I-enable-Postscreen-to-protect-against-mail-server-overload.html
• When the Postscreen service is enabled, your users must use the submission port 587 (TLS) or 465 (SSL) to send email, port 25 will be used by the Postscreen service to accept emails sent from other mail servers (not submitted by end users).
• Enabling Postscreen will automatically enable the submission port 587 (TLS) if it is not currently enabled.
• Mail sent using the PHP mail function/sendmail should not be affected.

Postscreen blocks connections from zombies and other spambots that are responsible for about 90% of all spam. It is implemented as a single process to make this defense as inexpensive as possible. More information about Postscreen can be found here.

Postscreen - postscreen
Enable or disable the Postscreen spambot protection service. Remember that mail clients will not be permitted to send though port 25 when Postscreen is enabled so make sure that all of your mail clients are sending using the submission port 587 before enabling it.
Default: 0

Postscreen dnsbl sites - postscreen_dnsbl_sites
A list of DNS white/blacklist domains, filters and weight factors. When the list is non-empty, the dnsblog daemon will query these domains with the IP addresses of remote SMTP clients, and postscreen will update an SMTP clients DNSBL score with each non-error reply. Caution: when postscreen rejects mail, it replies with the DNSBL domain name. Use the postscreen_dnsbl_reply_map option to hide API key information in DNSBL domain names.
Default: empty
Example: b.barracudacentral.org,psbl.surriel.com

Example Using Strict DNSBLs (recommended)

This example allows us to use strict DNSBLs which normally have false positives. We can give them a lower weighting so that two strict DNSBLs must match before we trigger a block. We set the Postscreen DNSBL threshold to 3 points: b.barracudacentral.org has a weight of 3, psbl.surriel.com has a weight of 3, bl.spamcop.net has a weight of 2, spam.spamrats.com has a weight of 2, bl.mailspike.net has a weight of 2. If the combined score is equal to or greater than 3, Postscreen would reject the SMTP client.

Postscreen DNSBL threshhold: 3
Postscreen DNSBL sites: b.barracudacentral.org=127.0.0.[2..11]*3, psbl.surriel.com*3, bl.spamcop.net*2, spam.spamrats.com*2, bl.mailspike.net*2

Example Using Strict DNSBLs with Whitelising

This example allows us to use swl.spamhaus.org and list.dnswl.org for whitelisting (do not use swl.spamhaus.org if you are using free DNS resolvers). We set the Postscreen DNSBL threshold to 3 points: b.barracudacentral.org has a weight of 3, psbl.surriel.com has a weight of 3, bl.spamcop.net has a weight of 2, spam.spamrats.com has a weight of 2, swl.spamhaus.org has a weight of -4, list.dnswl.org has a weight of -2, -4, or -6 depending on the response code returned. If the combined score is equal to or greater than 3, Postscreen would reject the SMTP client. If the combined score is lower than 0 (the default postscreen_dnsbl_allowlist/whitelist_threshold) then Postscreen would whitelist the SMTP client.

Postscreen DNSBL threshhold: 3
Postscreen DNSBL sites: b.barracudacentral.org=127.0.0.[2..11]*3, psbl.surriel.com*3, bl.spamcop.net*2, spam.spamrats.com*2, swl.spamhaus.org*-4, list.dnswl.org=127.[0..255].[0..255].0*-2, list.dnswl.org=127.[0..255].[0..255].1*-4, list.dnswl.org=127.[0..255].[0..255].[2..3]*-6

Postscreen access list - postscreen_access_list
A permanent allow/denylist for remote SMTP client IP addresses.
Default: permit_mynetworks

Postscreen blacklist action - postscreen_blacklist_action
The action that postscreen takes when an SMTP client is permanently denied with the Postcreen access list.
Default: enforce

Postscreen greet action - postscreen_greet_action
The action that postscreen takes when an SMTP client speaks before its turn within the time specified.
Default: enforce

Postscreen dnsbl action - postscreen_dnsbl_action
The action that postscreen takes when an SMTP clients combined DNSBL score is equal to or greater than a threshold.
Default: enforce

Postscreen dnsbl reply map - postscreen_dnsbl_reply_map
A mapping from an actual DNSBL domain name which includes a secret password or API key, to the DNSBL domain name that postscreen will reply with when it rejects mail. When no mapping is found, the actual DNSBL domain will be used. For maximal stability it is best to use a file that is read into memory such as pcre:, regexp: or texthash:
Default: empty
Example: texthash:/etc/postfix/dnsbl_reply_map
Contents of /etc/postfix/dnsbl_reply_map (replace secret with API key):

secret.zen.spamhaus.org      zen.spamhaus.org  

Postscreen dnsbl threshold - postscreen_dnsbl_threshold
The inclusive lower bound for blocking an SMTP client, based on its combined DNSBL score as defined with the postscreen_dnsbl_sites parameter.
Default: 1

Postscreen dnsbl allowlist/whitelist threshold - postscreen_dnsbl_allowlist/whitelist_threshold
Allow a remote SMTP client to skip "before" and "after 220 greeting" protocol tests, based on its combined DNSBL score as defined with the postscreen_dnsbl_sites parameter. When a client passes the postscreen_dnsbl_allowlist_threshold/postscreen_dnsbl_whitelist_threshold without having failed other tests, all pending or disabled tests are flagged as completed with an expiration time based on the DNS reply TTL. When a test was already completed, its expiration time is updated if it was less than the value based on the DNS reply TTL.
Default: 0

Related Pages

• Mail Server Checks
• Mail Server Access