Postfix Configuration - UCE Controls


Up one level | Basic Configuration | UCE Controls | Rate Controls | Resource Controls | Address Manipulation

Introduction

Postfix offers a variety of parameters that limit the delivery of unsolicited commercial email (UCE).

By default, the Postfix SMTP server will accept mail only from or to the local network or domain, so that your system can't be used as a mail relay to forward bulk mail from random strangers.

The text in this document describes how you can set up more detailed anti-UCE policies that prevent delivery of unwanted email altogether, for example with sendmail-style access lists or with RBL (real-time blackhole list) name servers.

Unless indicated otherwise, all parameters described here are in the main.cf file. If you change parameters of a running Postfix system, don't forget to issue a postfix reload command.

Header filtering

The header_checks parameter restricts what is allowed in message headers.

Default:
Allow anything in message headers.

Syntax:
Specify a list of zero or more lookup tables. Whenever a header matches a table, a REJECT result means reject the message.

A rule ending in OK affects only the header being matched. The next header may still result in a REJECT match, causing the mail still to be rejected.

Examples:
header_checks = regexp:/etc/postfix/header_checks
header_checks = pcre:/etc/postfix/header_checks

Client name/address restrictions

The smtpd_client_restrictions parameter restricts what clients this system accepts SMTP connections from.

Default:
Allow SMTP connections from any client.

Syntax:
Specify a list of zero or more restrictions, separated by whitespace or commas. Restrictions are applied in the order as specified; the first restriction that matches wins.

Examples:
smtpd_client_restrictions = hash:/etc/postfix/access, reject_maps_rbl
smtpd_client_restrictions = permit_mynetworks, reject_unknown_client

Restrictions:

reject_unknown_client
Reject the request when the client address to name lookup failed. The unknown_client_reject_code parameter specifies the response code to rejected requests (default: 450).

permit_mynetworks
Permit the request when the client address matches any network listed in $mynetworks.

check_client_access maptype:mapname
maptype:mapname
Search the named access database for the client name, parent domains, client address, or networks obtained by stripping least significant octets. Reject the request if the result is REJECT or "[45]XX text". Permit the request if the result is anything else. The access_map_reject_code parameter specifies the response code for REJECT results (default: 554).

reject_maps_rbl
Reject the request when the client network address is listed under any of the domains listed in $maps_rbl_domains. The maps_rbl_reject_code parameter specifies the response code for rejected requests (default: 554).

permit
reject
reject_unauth_pipelining
See generic restrictions.

Require HELO (EHLO) command

The smtpd_helo_required parameter determines if clients must send a HELO (EHLO) command at the beginning of an SMTP session. Requiring this will stop some UCE software.

Default:
By default, the Postfix SMTP server does not require the use of HELO (EHLO).

Syntax:
Specify yes or no.

Example:
smtpd_helo_required = yes

HELO (EHLO) hostname restrictions

The smtpd_helo_restrictions parameter restricts what hostnames clients may send with the HELO (EHLO) command. Some UCE software can be stopped by being strict here.
Default:
By default, the Postfix SMTP server accepts any hostname.

Syntax:
Specify a list of zero or more restrictions, separated by whitespace or commas. Restrictions are applied in the order as specified; the first restriction that matches wins.

In addition to restrictions that are specific to HELO (EHLO) command parameters, you can also specify restrictions based on the client hostname or network address.

Example:
smtpd_helo_restrictions = reject_invalid_hostname

Restrictions:

reject_invalid_hostname
Reject the request when the client HELO and EHLO command has a bad hostname syntax. The invalid_hostname_reject_code specifies the response code to rejected requests (default: 501).

permit_naked_ip_address
Permit the request when the client HELO (EHLO) command contains a naked IP address without the enclosing [] brackets that the RFC requires. Unfortunately, some popular PC mail clients send HELO greetings in this manner.

reject_unknown_hostname
Reject the request when the hostname in the client HELO (EHLO) command has no DNS A or MX record. The unknown_hostname_reject_code specifies the response code to rejected requests (default: 450).

reject_non_fqdn_hostname
Reject the request when the hostname in the client HELO (EHLO) command is not in fully-qualified domain form. The non_fqdn_reject_code specifies the response code to rejected requests (default: 504).

check_helo_access maptype:mapname
maptype:mapname
Search the named access database for the HELO hostname or parent domains in the specified table. Reject the request if the result is REJECT or "[45]XX text". Permit the request when the result is anything else. The access_map_reject_code parameter specifies the response code for REJECT results (default: 554).

reject_maps_rbl
reject_unknown_client
permit_mynetworks
check_client_access maptype:mapname
See client name/address restrictions.

permit
reject
reject_unauth_pipelining
See generic restrictions.

Sender address restrictions

The smtpd_sender_restrictions parameter restricts what sender addresses this system accepts in MAIL FROM commands.

Default:
By default, the Postfix SMTP server accepts any sender address.

Syntax:
Specify a list of zero or more restrictions, separated by whitespace or commas. Restrictions are applied in the order as specified; the first restriction that matches wins.

In addition to restrictions that are specific to sender mail addresses, you can also specify restrictions based on the information passed with the HELO/EHLO command, and on the client hostname or network address.

Example:
smtpd_sender_restrictions = reject_unknown_sender_domain

Restrictions:
reject_unknown_sender_domain
Reject the request when the sender mail address has no DNS A or MX record. The unknown_address_reject_code parameter specifies the response code for rejected requests (default: 450). The response is always 450 in case of a temporary DNS error.

check_sender_access maptype:mapname
maptype:mapname
Search the named access database for the sender mail address, parent domain, or localpart@. Reject the request if the result is REJECT or "[45]XX text". Permit the request if the result is anything else. The access_map_reject_code parameter specifies the result code for rejected requests (default: 554).

reject_non_fqdn_sender
Reject the request when the address in the client MAIL FROM command is not in fully-qualified domain form. The non_fqdn_reject_code specifies the response code to rejected requests (default: 504).

permit_naked_ip_address
reject_invalid_hostname
reject_unknown_hostname
reject_non_fqdn_hostname
check_helo_access maptype:mapname
See HELO (EHLO) hostname restrictions.

reject_maps_rbl
reject_unknown_client
permit_mynetworks
check_client_access maptype:mapname
See client name/address restrictions.

permit
reject
reject_unauth_pipelining
See generic restrictions.

Recipient address restrictions

The smtpd_recipient_restrictions parameter restricts what recipient addresses this system accepts in RCPT TO commands.
Default:
By default, the Postfix SMTP server forwards mail from any client that matches $mynetworks or $relay_domains, or to any destination that matches $relay_domains.

Syntax:
Specify a list of zero or more restrictions, separated by whitespace or commas. Restrictions are applied in the order as specified; the first restriction that matches wins.

In addition to restrictions that are specific to recipient mail addresses, you can also specify restrictions based on the sender mail address, on the information passed with the HELO/EHLO command, and on the client hostname or network address.

Example:
smtpd_recipient_restrictions = permit_mynetworks, check_relay_domains
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination

Restrictions:
check_relay_domains
Permit the request when the client hostname matches $relay_domains, or when the resolved destination address matches $relay_domains, otherwise reject. The relay_domains_reject_code parameter specifies the response code for rejected requests (default: 554).

reject_unauth_destination
Ignore the client hostname. Reject the request when the resolved destination address does not match $relay_domains. The relay_domains_reject_code parameter specifies the response code for rejected requests (default: 554).

permit_mx_backup
Permit the request when the local mail system is MX host for the resolved destination. This includes the case that the local mail system is the final destination. Relevant configuration parameters: $mydestination, $inet_interfaces.

check_recipient_access maptype:mapname
maptype:mapname
Search the named access database for the resolved destination address, parent domain, or localpart@. Reject the request if the result is REJECT or "[45]XX text". Permit the request if the result is anything else. The access_map_reject_code parameter specifies the result code for rejected requests (default: 554).

reject_unknown_recipient_domain
Reject the request when the recipient mail address has no DNS A or MX record. The unknown_address_reject_code parameter specifies the response code for rejected requests (default: 450). The response is always 450 in case of a temporary DNS error.

reject_non_fqdn_recipient
Reject the request when the address in the client RCPT TO command is not in fully-qualified domain form. The non_fqdn_reject_code specifies the response code to rejected requests (default: 504).

reject_unknown_sender_domain
reject_non_fqdn_sender
check_sender_access maptype:mapname
See sender address restrictions.

permit_naked_ip_address
reject_invalid_hostname
reject_unknown_hostname
reject_non_fqdn_hostname
check_helo_access maptype:mapname
See HELO (EHLO) hostname restrictions.

reject_maps_rbl
reject_unknown_client
permit_mynetworks
check_client_access maptype:mapname
See client name/address restrictions.

permit
reject
reject_unauth_pipelining
See generic restrictions.

ETRN command restrictions

Not really an UCE restriction, the smtpd_etrn_restrictions parameter restricts what domains may be specified in ETRN commands, and what clients may issue ETRN commands.
Default:
By default, the Postfix SMTP server accepts any ETRN command from any client.

Syntax:
Specify a list of zero or more restrictions, separated by whitespace or commas. Restrictions are applied in the order as specified; the first restriction that matches wins.

In addition to restrictions that are specific to ETRN domain names, you can also specify restrictions based on the information passed with the HELO/EHLO command, and on the client hostname or network address.

Example:
smtpd_etrn_restrictions = permit_mynetworks, reject

Restrictions:
check_etrn_access maptype:mapname
maptype:mapname
Search the named access database for the domain specified in the ETRN command, or its parent domains. Reject the request if the result is REJECT or "[45]XX text". Permit the request if the result is anything else. The access_map_reject_code parameter specifies the result code for rejected requests (default: 554).

permit_naked_ip_address
reject_invalid_hostname
reject_unknown_hostname
check_helo_access maptype:mapname
See HELO (EHLO) hostname restrictions.

reject_maps_rbl
reject_unknown_client
permit_mynetworks
check_client_access maptype:mapname
See client name/address restrictions.

permit
reject
reject_unauth_pipelining
See generic restrictions.

Generic restrictions

The following restrictions can use used for client hostnames or addresses, for HELO (EHLO) hostnames, for sender mail addresses and for recipient mail addresses.
Restrictions:

permit
Permit the request. This restriction is useful at the end of a restriction list, to make the default policy explicit.

reject
Reject the request. This restriction is useful at the end of a restriction list, to make the default policy explicit. The reject_code configuration parameter specifies the response code to rejected requests (default: 554).

reject_unauth_pipelining
Reject the request when the client sends SMTP commands ahead of time without knowing that Postfix actually supports SMTP command pipelining. This stops mail from bulk mail software that improperly uses SMTP command pipelining to speed up deliveries.

Additional UCE control parameters

maps_rbl_domains
This parameter controls the behavior of the reject_maps_rbl restriction that can appear as part of a client name/address restriction list.

Default:
maps_rbl_domains = rbl.maps.vix.com, dul.maps.vix.com

Note: RBL lookups are disabled by default.

Syntax:
Zero or more DNS domains that blacklist client addresses. A host is blacklisted when its reversed IP address is listed as a subdomain under any of the domains listed in $maps_rbl_domains.

relay_domains
This parameter controls the behavior of the check_relay_domains and reject_unauth_destination restrictions that can appear as part of a recipient address restriction list.

Default:
relay_domains = $mydestination, $virtual_maps.

Syntax:
Specify zero or more domain names, /file/name patterns and/or type:name lookup tables, separated by whitespace and/or commas. A /file/name is replaced by its contents; type:name requests that table lookup is done instead of string comparison.

A host or destination address matches $relay_domains when its name or parent domain matches any of the names, files or lookup tables listed in $relay_domains.


Up one level | Basic Configuration | UCE Controls | Rate Controls | Resource Controls | Address Manipulation