Postfix Configuration - UCE Controls
Up one level | Basic
Configuration | UCE Controls | Rate
Controls | Resource Controls | Address Manipulation
Introduction
Postfix offers a variety of parameters that limit the delivery of
unsolicited commercial email (UCE).
By default, the Postfix SMTP server will
accept mail only from or to the local network or domain, or to
domains that are hosted by Postfix, so that your system can't be
used as a mail relay to forward bulk mail from random strangers.
The text in this document describes how you can set up more detailed
anti-UCE policies that prevent delivery of unwanted email altogether,
for example with sendmail-style access lists or with RBL
(real-time blackhole list) name servers.
Unless indicated otherwise, all parameters described here are
in the main.cf file. If you change parameters of a running
Postfix system, don't forget to issue a postfix reload
command.
Header filtering
The header_checks parameter restricts what
is allowed in message headers.
- Default:
- Allow anything in message headers.
- Syntax:
- Specify a list of zero or more lookup tables. Whenever a header
matches a table, a REJECT result means reject the message.
At present, specifying a header pattern with OK serves no useful
purpose. A rule ending in OK affects only the header being matched.
The next header may still result in a REJECT match, causing the
mail still to be rejected.
Examples (main.cf):
header_checks = regexp:/etc/postfix/header_checks
header_checks = pcre:/etc/postfix/header_checks
Example (header_checks):
/^to: *friend@public\.com$/ REJECT
The smtpd_client_restrictions parameter restricts what
clients this system accepts SMTP connections from.
- Default:
- smtpd_client_restrictions =
- Allow SMTP connections from any client.
- Syntax:
- Specify a list of zero or more restrictions, separated by
whitespace or commas. Restrictions are applied in the order as
specified; the first restriction that matches wins.
- Examples:
- smtpd_client_restrictions = hash:/etc/postfix/access,
reject_maps_rbl
- smtpd_client_restrictions = permit_mynetworks,
reject_unknown_client
- Restrictions:
- reject_unknown_client
- Reject the request when the
client IP address has no PTR record in the DNS. The
unknown_client_reject_code parameter specifies the response
code to rejected requests (default: 450).
- permit_mynetworks
- Permit the request when the
client IP address matches any network listed in $mynetworks.
- check_client_access maptype:mapname
- maptype:mapname
- Search the named access database for the client hostname, parent
domains, client IP address, or networks obtained by stripping least
significant octets. Reject the request if the result is REJECT
or "[45]XX text". Permit the request if the result
is OK or RELAY or all-numerical. Otherwise, treat the
result as another list of UCE restrictions. The
access_map_reject_code parameter specifies the response code for
REJECT results (default: 554).
- reject_maps_rbl
- Reject the request when the client
network address is listed under any of the domains listed in $maps_rbl_domains. The
maps_rbl_reject_code parameter specifies the response code for
rejected requests (default: 554).
- permit
- reject
- reject_unauth_pipelining
- See generic restrictions.
Require HELO (EHLO) command
The smtpd_helo_required parameter determines if clients must
send a HELO (or EHLO) command at the beginning of an
SMTP session. Requiring this will stop some UCE software.
- Default:
- smtpd_helo_required = no
- By default, the Postfix SMTP server
does not require the use of HELO (EHLO).
- Syntax:
- Specify yes or no.
- Example:
- smtpd_helo_required = yes
HELO (EHLO) hostname restrictions
The smtpd_helo_restrictions parameter restricts what hostnames
clients may send with the HELO (EHLO) command. Some
UCE software can be stopped by being strict here.
- Default:
- smtpd_helo_restrictions =
- By default, the Postfix SMTP server
accepts any garbage in the HELO (EHLO) command. There
is a lot of broken or misconfigured software on the Internet.
- Syntax:
- Specify a list of zero or more restrictions, separated by
whitespace or commas. Restrictions are applied in the order as
specified; the first restriction that matches wins.
In addition to restrictions that are specific to HELO (EHLO)
command parameters, you can also specify restrictions based
on the client hostname or network address.
- Example:
- smtpd_helo_restrictions = permit_mynetworks,
reject_invalid_hostname
- Restrictions:
- reject_invalid_hostname
- Reject the request when
the client HELO or EHLO parameter has a bad hostname syntax. The
invalid_hostname_reject_code specifies the response code to
rejected requests (default: 501).
- permit_naked_ip_address
- Permit the request when
the client HELO (EHLO) command contains a naked IP address without
the enclosing [] brackets that the RFC requires. Unfortunately,
some popular PC mail clients send HELO greetings in this
manner.
- reject_unknown_hostname
- Reject the request when
the hostname in the client HELO (EHLO) command has no DNS A or MX
record. The unknown_hostname_reject_code specifies the
response code to rejected requests (default: 450).
- reject_non_fqdn_hostname
- Reject the request when
the hostname in the client HELO (EHLO) command is not in fully-qualified
domain form, as required by the RFC. The non_fqdn_reject_code
specifies the response code to rejected requests (default:
504).
- check_helo_access maptype:mapname
- maptype:mapname
- Search the named access database for the HELO hostname
or parent domains in the specified table. Reject the request if
the result is REJECT or "[45]XX text". Permit
the request when the result is OK or RELAY or
all-numerical. Otherwise, treat the result as another list of UCE
restrictions. The access_map_reject_code parameter specifies
the response code for REJECT results (default: 554).
- reject_maps_rbl
- reject_unknown_client
- permit_mynetworks
- check_client_access maptype:mapname
- See client hostname/address restrictions.
- permit
- reject
- reject_unauth_pipelining
- See generic restrictions.
Require strict RFC 821-style envelope addresses
The strict_rfc821_envelopes parameter controls how tolerant
Postfix is with respect to addresses given in MAIL FROM or RCPT TO
commands. Unfortunately, the widely-used Sendmail program tolerates
lots of non-standard behavior, so a lot of software expects to get
away with it. Being strict to the RFC not only stops unwanted
mail, it also blocks legitimate mail from poorly-written mail
applications.
- Default:
- strict_rfc821_envelopes = no
- By default, the Postfix SMTP server
accepts any address form that it can make sense of, including
address forms that contain RFC 822-style comments, or addresses
not enclosed in <>. There is a lot of broken or misconfigured
software out there on the Internet.
- Example:
- strict_rfc821_envelopes = yes
Sender address restrictions
The smtpd_sender_restrictions parameter restricts what sender
addresses this system accepts in MAIL FROM commands.
- Default:
- smtpd_sender_restrictions =
- By default, the Postfix SMTP server
accepts any sender address.
- Syntax:
- Specify a list of zero or more restrictions, separated by
whitespace or commas. Restrictions are applied in the order as
specified; the first restriction that matches wins.
In addition to restrictions that are specific to sender mail
addresses, you can also specify restrictions based on the information
passed with the HELO/EHLO command, and on the client hostname or
network address.
- Example:
- smtpd_sender_restrictions = hash:/etc/postfix/access,
reject_unknown_sender_domain
- Restrictions:
- reject_unknown_sender_domain
- Reject the request
when the sender mail address has no DNS A or MX record. The
unknown_address_reject_code parameter specifies the response
code for rejected requests (default: 450). The response
is always 450 in case of a temporary DNS error.
- check_sender_access maptype:mapname
- maptype:mapname
- Search the named access database for the sender mail address,
parent domain, or localpart@. Reject the request if the
result is REJECT or "[45]XX text". Permit the
request if the result is OK or RELAY or all-numerical.
Otherwise, treat the result as another list of UCE restrictions. The
access_map_reject_code parameter specifies the result code for
rejected requests (default: 554).
- reject_non_fqdn_sender
- Reject the request when
the address in the client MAIL FROM command is not in fully-qualified
domain form. The non_fqdn_reject_code specifies the
response code to rejected requests (default: 504).
- permit_naked_ip_address
- reject_invalid_hostname
- reject_unknown_hostname
- reject_non_fqdn_hostname
- check_helo_access maptype:mapname
- See HELO (EHLO) hostname restrictions.
- reject_maps_rbl
- reject_unknown_client
- permit_mynetworks
- check_client_access maptype:mapname
- See client hostname/address restrictions.
- permit
- reject
- reject_unauth_pipelining
- See generic restrictions.
Recipient address restrictions
The smtpd_recipient_restrictions parameter restricts what
recipient addresses this system accepts in RCPT TO commands.
- Default:
- smtpd_recipient_restrictions = permit_mynetworks, check_relay_domains
- By default, the Postfix SMTP server
relays mail:
- from trusted clients whose IP address matches $mynetworks,
- from trusted clients whose hostname matches $relay_domains or a subdomain thereof,
- from untrusted clients to destinations that match $relay_domains or a subdomain thereof,
except for addresses that contain sender-specified routing
(user@elsewhere@domain).
In addition to the above, the Postfix SMTP
server by default accepts mail for which Postfix is the final
destination:
- Syntax:
- Specify a list of zero or more restrictions, separated by
whitespace or commas. Restrictions are applied in the order as
specified; the first restriction that matches wins.
In addition to restrictions that are specific to recipient mail
addresses, you can also specify restrictions based on the sender mail
address, on the information passed with the HELO/EHLO command, and
on the client hostname or network address.
- Example:
- smtpd_recipient_restrictions = permit_mynetworks,
reject_unauth_destination
- Note: you must specify at least one of the following
restrictions: reject, check_relay_domains or
reject_unauth_destination. Postfix will refuse to receive
mail otherwise.
- Restrictions:
- check_relay_domains
- Permit the request when
one of the following is true:
Otherwise reject the request. The relay_domains_reject_code
parameter specifies the response code for rejected requests (default:
554).
- permit_auth_destination
- Ignore the client hostname.
Permit the request when one of the following is true:
Otherwise proceed with the next restriction.
- reject_unauth_destination
- Ignore the client
hostname. Reject the request unless one of the following is true:
The relay_domains_reject_code parameter specifies the response
code for rejected requests (default: 554).
- permit_mx_backup
- Permit the request when the local
mail system is MX host for the resolved destination. This includes
the case that the local mail system is the final destination.
However, the SMTP server will not forward mail with addresses that
have sender-specified routing information (example:
user@elsewhere@domain),
Relevant configuration parameters:
$mydestination,
$inet_interfaces.
- check_recipient_access maptype:mapname
- maptype:mapname
- Search the named access database for the resolved destination
address, parent domain, or localpart@. Reject the request if the
result is REJECT or "[45]XX text". Permit the
request if the result is OK or RELAY or all-numerical.
Otherwise, treat the result as another list of UCE restrictions. The
access_map_reject_code parameter specifies the result code for
rejected requests (default: 554).
- reject_unknown_recipient_domain
- Reject the request
when the recipient mail address has no DNS A or MX record. The
unknown_address_reject_code parameter specifies the response
code for rejected requests (default: 450). The response
is always 450 in case of a temporary DNS error.
- reject_non_fqdn_recipient
- Reject the request when
the address in the client RCPT TO command is not in fully-qualified
domain form. The non_fqdn_reject_code specifies the
response code to rejected requests (default: 504).
- reject_unknown_sender_domain
- reject_non_fqdn_sender
- check_sender_access maptype:mapname
- See sender address restrictions.
- permit_naked_ip_address
- reject_invalid_hostname
- reject_unknown_hostname
- reject_non_fqdn_hostname
- check_helo_access maptype:mapname
- See HELO (EHLO) hostname restrictions.
- reject_maps_rbl
- reject_unknown_client
- permit_mynetworks
- check_client_access maptype:mapname
- See client hostname/address restrictions.
- permit
- reject
- reject_unauth_pipelining
- See generic restrictions.
ETRN command restrictions
Not really an UCE restriction, the smtpd_etrn_restrictions
parameter restricts what domains can be specified in ETRN commands,
and what clients can issue ETRN commands.
- Default:
- smtpd_etrn_restrictions =
- By default, the Postfix SMTP server
accepts any ETRN command from any client.
- Syntax:
- Specify a list of zero or more restrictions, separated by
whitespace or commas. Restrictions are applied in the order as
specified; the first restriction that matches wins.
In addition to restrictions that are specific to ETRN domain names,
you can also specify restrictions based on the information passed
with the HELO/EHLO command, and on the client hostname or network
address.
- Example:
- smtpd_etrn_restrictions = permit_mynetworks,
hash:/etc/postfix/etrn_access, reject
- Restrictions:
- check_etrn_access maptype:mapname
- maptype:mapname
- Search the named access database for the domain specified
in the ETRN command, or its parent domains. Reject the request if
the result is REJECT or "[45]XX text". Permit
the request if the result is OK or RELAY or
all-numerical. Otherwise, treat the result as another list of UCE
restrictions. The access_map_reject_code parameter specifies
the result code for rejected requests (default: 554).
- permit_naked_ip_address
- reject_invalid_hostname
- reject_unknown_hostname
- check_helo_access maptype:mapname
- See HELO (EHLO) hostname restrictions.
- reject_maps_rbl
- reject_unknown_client
- permit_mynetworks
- check_client_access maptype:mapname
- See client hostname/address restrictions.
- permit
- reject
- reject_unauth_pipelining
- See generic restrictions.
Generic restrictions
The following restrictions can use used for client hostnames or
addresses, for HELO (EHLO) hostnames, for sender mail addresses
and for recipient mail addresses.
Restrictions:
- permit
- Permit the request. This restriction
is useful at the end of a restriction list, to make the default
policy explicit.
- reject
- Reject the request. This restriction
is useful at the end of a restriction list, to make the default
policy explicit. The reject_code configuration parameter
specifies the response code to rejected requests (default:
554).
- reject_unauth_pipelining
- Reject the request when
the client sends SMTP commands ahead of time without knowing that
Postfix actually supports SMTP command pipelining. This stops mail
from bulk mail software that improperly uses SMTP command pipelining
to speed up deliveries.
Additional UCE control parameters
- maps_rbl_domains
- This parameter controls the behavior of the reject_maps_rbl restriction that can
appear as part of a client hostname/address restriction list.
- Default:
- maps_rbl_domains = rbl.maps.vix.com, dul.maps.vix.com
Note: RBL lookups are disabled by default.
- Syntax:
- Zero or more DNS domains that blacklist client IP addresses. A
host is blacklisted when its reversed IP address is listed as a
subdomain under any of the domains listed in $maps_rbl_domains.
- relay_domains
- This parameter controls the behavior of the check_relay_domains, reject_unauth_destination
and permit_auth_destination
restrictions that can appear as part of a recipient address
restriction list.
- Default:
- relay_domains =
$mydestination
- By default, the Postfix SMTP server
relays mail:
- from trusted clients whose IP address matches $mynetworks,
- from trusted clients whose hostname matches $relay_domains or a subdomain thereof,
- from untrusted clients to destinations that match $relay_domains or a subdomain thereof,
except for addresses that contain sender-specified routing
(user@elsewhere@domain).
- Syntax:
- Specify zero or more domain names, /file/name patterns
and/or type:name lookup tables, separated by whitespace
and/or commas. A /file/name is replaced by its contents;
type:name requests that table lookup is done instead
of string comparison.
A host or destination address matches $relay_domains when
its name or parent domain matches any of the names, files or lookup
tables listed in $relay_domains.
Up one level | Basic
Configuration | UCE Controls | Rate
Controls | Resource Controls | Address Manipulation