Postfix Configuration - UCE Controls

Up one level | Basic Configuration | UCE Controls | Rate Controls | Resource Controls | Address Manipulation

Introduction

Postfix offers a variety of parameters that limit the delivery of unsolicited commercial email (UCE).

By default, the Postfix SMTP server will accept mail only from or to the local network or domain, or to domains that are hosted by Postfix, so that your system can't be used as a mail relay to forward bulk mail from random strangers.

The text in this document describes how you can set up more detailed anti-UCE policies that prevent delivery of unwanted email altogether, for example with sendmail-style access lists or with RBL (real-time blackhole list) name servers.

Unless indicated otherwise, all parameters described here are in the main.cf file. If you change parameters of a running Postfix system, don't forget to issue a postfix reload command.

Header filtering

The header_checks parameter restricts what is allowed in message headers.

Default:
Allow anything in message headers.

Syntax:
Specify a list of zero or more lookup tables. Whenever a header matches a table, a REJECT result means reject the message.

At present, specifying a header pattern with OK serves no useful purpose. A rule ending in OK affects only the header being matched. The next header may still result in a REJECT match, causing the mail still to be rejected.

Examples (main.cf):
header_checks = regexp:/etc/postfix/header_checks
header_checks = pcre:/etc/postfix/header_checks

Example (header_checks):
/^to: *friend@public\.com$/ REJECT

Client hostname/address restrictions

The smtpd_client_restrictions parameter restricts what clients this system accepts SMTP connections from.

Default:
smtpd_client_restrictions =

Allow SMTP connections from any client.

Syntax:
Specify a list of zero or more restrictions, separated by whitespace or commas. Restrictions are applied in the order as specified; the first restriction that matches wins.

Examples:
smtpd_client_restrictions = hash:/etc/postfix/access, reject_maps_rbl
smtpd_client_restrictions = permit_mynetworks, reject_unknown_client

Restrictions:

reject_unknown_client
Reject the request when the client IP address has no PTR record in the DNS. The unknown_client_reject_code parameter specifies the response code to rejected requests (default: 450).

permit_mynetworks
Permit the request when the client IP address matches any network listed in $mynetworks.

check_client_access maptype:mapname
maptype:mapname
Search the named access database for the client hostname, parent domains, client IP address, or networks obtained by stripping least significant octets. Reject the request if the result is REJECT or "[45]XX text". Permit the request if the result is OK or RELAY or all-numerical. Otherwise, treat the result as another list of UCE restrictions. The access_map_reject_code parameter specifies the response code for REJECT results (default: 554).

reject_maps_rbl
Reject the request when the client network address is listed under any of the domains listed in $maps_rbl_domains. The maps_rbl_reject_code parameter specifies the response code for rejected requests (default: 554).

permit
reject
reject_unauth_pipelining
See generic restrictions.

Require HELO (EHLO) command

The smtpd_helo_required parameter determines if clients must send a HELO (or EHLO) command at the beginning of an SMTP session. Requiring this will stop some UCE software.

Default:
smtpd_helo_required = no

By default, the Postfix SMTP server does not require the use of HELO (EHLO).

Syntax:
Specify yes or no.

Example:
smtpd_helo_required = yes

HELO (EHLO) hostname restrictions

The smtpd_helo_restrictions parameter restricts what hostnames clients may send with the HELO (EHLO) command. Some UCE software can be stopped by being strict here.
Default:
smtpd_helo_restrictions =

By default, the Postfix SMTP server accepts any garbage in the HELO (EHLO) command. There is a lot of broken or misconfigured software on the Internet.

Syntax:
Specify a list of zero or more restrictions, separated by whitespace or commas. Restrictions are applied in the order as specified; the first restriction that matches wins.

In addition to restrictions that are specific to HELO (EHLO) command parameters, you can also specify restrictions based on the client hostname or network address.

Example:
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname

Restrictions:

reject_invalid_hostname
Reject the request when the client HELO or EHLO parameter has a bad hostname syntax. The invalid_hostname_reject_code specifies the response code to rejected requests (default: 501).

permit_naked_ip_address
Permit the request when the client HELO (EHLO) command contains a naked IP address without the enclosing [] brackets that the RFC requires. Unfortunately, some popular PC mail clients send HELO greetings in this manner.

reject_unknown_hostname
Reject the request when the hostname in the client HELO (EHLO) command has no DNS A or MX record. The unknown_hostname_reject_code specifies the response code to rejected requests (default: 450).

reject_non_fqdn_hostname
Reject the request when the hostname in the client HELO (EHLO) command is not in fully-qualified domain form, as required by the RFC. The non_fqdn_reject_code specifies the response code to rejected requests (default: 504).

check_helo_access maptype:mapname
maptype:mapname
Search the named access database for the HELO hostname or parent domains in the specified table. Reject the request if the result is REJECT or "[45]XX text". Permit the request when the result is OK or RELAY or all-numerical. Otherwise, treat the result as another list of UCE restrictions. The access_map_reject_code parameter specifies the response code for REJECT results (default: 554).

reject_maps_rbl
reject_unknown_client
permit_mynetworks
check_client_access maptype:mapname
See client hostname/address restrictions.

permit
reject
reject_unauth_pipelining
See generic restrictions.

Require strict RFC 821-style envelope addresses

The strict_rfc821_envelopes parameter controls how tolerant Postfix is with respect to addresses given in MAIL FROM or RCPT TO commands. Unfortunately, the widely-used Sendmail program tolerates lots of non-standard behavior, so a lot of software expects to get away with it. Being strict to the RFC not only stops unwanted mail, it also blocks legitimate mail from poorly-written mail applications.

Default:
strict_rfc821_envelopes = no

By default, the Postfix SMTP server accepts any address form that it can make sense of, including address forms that contain RFC 822-style comments, or addresses not enclosed in <>. There is a lot of broken or misconfigured software out there on the Internet.

Example:
strict_rfc821_envelopes = yes

Sender address restrictions

The smtpd_sender_restrictions parameter restricts what sender addresses this system accepts in MAIL FROM commands.

Default:
smtpd_sender_restrictions =

By default, the Postfix SMTP server accepts any sender address.

Syntax:
Specify a list of zero or more restrictions, separated by whitespace or commas. Restrictions are applied in the order as specified; the first restriction that matches wins.

In addition to restrictions that are specific to sender mail addresses, you can also specify restrictions based on the information passed with the HELO/EHLO command, and on the client hostname or network address.

Example:
smtpd_sender_restrictions = hash:/etc/postfix/access, reject_unknown_sender_domain

Restrictions:
reject_unknown_sender_domain
Reject the request when the sender mail address has no DNS A or MX record. The unknown_address_reject_code parameter specifies the response code for rejected requests (default: 450). The response is always 450 in case of a temporary DNS error.

check_sender_access maptype:mapname
maptype:mapname
Search the named access database for the sender mail address, parent domain, or localpart@. Reject the request if the result is REJECT or "[45]XX text". Permit the request if the result is OK or RELAY or all-numerical. Otherwise, treat the result as another list of UCE restrictions. The access_map_reject_code parameter specifies the result code for rejected requests (default: 554).

reject_non_fqdn_sender
Reject the request when the address in the client MAIL FROM command is not in fully-qualified domain form. The non_fqdn_reject_code specifies the response code to rejected requests (default: 504).

permit_naked_ip_address
reject_invalid_hostname
reject_unknown_hostname
reject_non_fqdn_hostname
check_helo_access maptype:mapname
See HELO (EHLO) hostname restrictions.

reject_maps_rbl
reject_unknown_client
permit_mynetworks
check_client_access maptype:mapname
See client hostname/address restrictions.

permit
reject
reject_unauth_pipelining
See generic restrictions.

Recipient address restrictions

The smtpd_recipient_restrictions parameter restricts what recipient addresses this system accepts in RCPT TO commands.
Default:
smtpd_recipient_restrictions = permit_mynetworks, check_relay_domains

By default, the Postfix SMTP server relays mail:

  • from trusted clients whose IP address matches $mynetworks,
  • from trusted clients whose hostname matches $relay_domains or a subdomain thereof,
  • from untrusted clients to destinations that match $relay_domains or a subdomain thereof, except for addresses that contain sender-specified routing (user@elsewhere@domain).

In addition to the above, the Postfix SMTP server by default accepts mail for which Postfix is the final destination:

Syntax:
Specify a list of zero or more restrictions, separated by whitespace or commas. Restrictions are applied in the order as specified; the first restriction that matches wins.

In addition to restrictions that are specific to recipient mail addresses, you can also specify restrictions based on the sender mail address, on the information passed with the HELO/EHLO command, and on the client hostname or network address.

Example:
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination

Note: you must specify at least one of the following restrictions: reject, check_relay_domains or reject_unauth_destination. Postfix will refuse to receive mail otherwise.

Restrictions:
check_relay_domains
Permit the request when one of the following is true: Otherwise reject the request. The relay_domains_reject_code parameter specifies the response code for rejected requests (default: 554).

permit_auth_destination
Ignore the client hostname. Permit the request when one of the following is true: Otherwise proceed with the next restriction.

reject_unauth_destination
Ignore the client hostname. Reject the request unless one of the following is true: The relay_domains_reject_code parameter specifies the response code for rejected requests (default: 554).

permit_mx_backup
Permit the request when the local mail system is MX host for the resolved destination. This includes the case that the local mail system is the final destination. However, the SMTP server will not forward mail with addresses that have sender-specified routing information (example: user@elsewhere@domain),

Relevant configuration parameters: $mydestination, $inet_interfaces.

check_recipient_access maptype:mapname
maptype:mapname
Search the named access database for the resolved destination address, parent domain, or localpart@. Reject the request if the result is REJECT or "[45]XX text". Permit the request if the result is OK or RELAY or all-numerical. Otherwise, treat the result as another list of UCE restrictions. The access_map_reject_code parameter specifies the result code for rejected requests (default: 554).

reject_unknown_recipient_domain
Reject the request when the recipient mail address has no DNS A or MX record. The unknown_address_reject_code parameter specifies the response code for rejected requests (default: 450). The response is always 450 in case of a temporary DNS error.

reject_non_fqdn_recipient
Reject the request when the address in the client RCPT TO command is not in fully-qualified domain form. The non_fqdn_reject_code specifies the response code to rejected requests (default: 504).

reject_unknown_sender_domain
reject_non_fqdn_sender
check_sender_access maptype:mapname
See sender address restrictions.

permit_naked_ip_address
reject_invalid_hostname
reject_unknown_hostname
reject_non_fqdn_hostname
check_helo_access maptype:mapname
See HELO (EHLO) hostname restrictions.

reject_maps_rbl
reject_unknown_client
permit_mynetworks
check_client_access maptype:mapname
See client hostname/address restrictions.

permit
reject
reject_unauth_pipelining
See generic restrictions.

ETRN command restrictions

Not really an UCE restriction, the smtpd_etrn_restrictions parameter restricts what domains can be specified in ETRN commands, and what clients can issue ETRN commands.
Default:
smtpd_etrn_restrictions =

By default, the Postfix SMTP server accepts any ETRN command from any client.

Syntax:
Specify a list of zero or more restrictions, separated by whitespace or commas. Restrictions are applied in the order as specified; the first restriction that matches wins.

In addition to restrictions that are specific to ETRN domain names, you can also specify restrictions based on the information passed with the HELO/EHLO command, and on the client hostname or network address.

Example:
smtpd_etrn_restrictions = permit_mynetworks, hash:/etc/postfix/etrn_access, reject

Restrictions:
check_etrn_access maptype:mapname
maptype:mapname
Search the named access database for the domain specified in the ETRN command, or its parent domains. Reject the request if the result is REJECT or "[45]XX text". Permit the request if the result is OK or RELAY or all-numerical. Otherwise, treat the result as another list of UCE restrictions. The access_map_reject_code parameter specifies the result code for rejected requests (default: 554).

permit_naked_ip_address
reject_invalid_hostname
reject_unknown_hostname
check_helo_access maptype:mapname
See HELO (EHLO) hostname restrictions.

reject_maps_rbl
reject_unknown_client
permit_mynetworks
check_client_access maptype:mapname
See client hostname/address restrictions.

permit
reject
reject_unauth_pipelining
See generic restrictions.

Generic restrictions

The following restrictions can use used for client hostnames or addresses, for HELO (EHLO) hostnames, for sender mail addresses and for recipient mail addresses.
Restrictions:

permit
Permit the request. This restriction is useful at the end of a restriction list, to make the default policy explicit.

reject
Reject the request. This restriction is useful at the end of a restriction list, to make the default policy explicit. The reject_code configuration parameter specifies the response code to rejected requests (default: 554).

reject_unauth_pipelining
Reject the request when the client sends SMTP commands ahead of time without knowing that Postfix actually supports SMTP command pipelining. This stops mail from bulk mail software that improperly uses SMTP command pipelining to speed up deliveries.

Additional UCE control parameters

maps_rbl_domains
This parameter controls the behavior of the reject_maps_rbl restriction that can appear as part of a client hostname/address restriction list.

Default:
maps_rbl_domains = rbl.maps.vix.com, dul.maps.vix.com

Note: RBL lookups are disabled by default.

Syntax:
Zero or more DNS domains that blacklist client IP addresses. A host is blacklisted when its reversed IP address is listed as a subdomain under any of the domains listed in $maps_rbl_domains.

relay_domains
This parameter controls the behavior of the check_relay_domains, reject_unauth_destination and permit_auth_destination restrictions that can appear as part of a recipient address restriction list.

Default:
relay_domains = $mydestination

By default, the Postfix SMTP server relays mail:

  • from trusted clients whose IP address matches $mynetworks,
  • from trusted clients whose hostname matches $relay_domains or a subdomain thereof,
  • from untrusted clients to destinations that match $relay_domains or a subdomain thereof, except for addresses that contain sender-specified routing (user@elsewhere@domain).

Syntax:
Specify zero or more domain names, /file/name patterns and/or type:name lookup tables, separated by whitespace and/or commas. A /file/name is replaced by its contents; type:name requests that table lookup is done instead of string comparison.

A host or destination address matches $relay_domains when its name or parent domain matches any of the names, files or lookup tables listed in $relay_domains.

Up one level | Basic Configuration | UCE Controls | Rate Controls | Resource Controls | Address Manipulation