Configuring DQS on Postfix

This details how to use the Data Query Service (DQS) with the Postfix MTA, including how to configure rejections at the SMTP level.

NOTE: If you use Postfix with Rspamd or SpamAssassin, you should not configure rejections at the SMTP level. Instead, use a milter and let SpamAssassin or Rspamd do the filtering. This is recommended because both SpamAssassin and Rspamd should be seen as an anti-spam framework i.e. they need all the relevant information relating to an email to utilize their auto-learning features, so they filter emails effectively.

Configuring a milter and integrating it with SpamAssassin or Rspamd with Postfix is outside this document’s scope. Please ask your systems integrator for assistance, should you need to do this.

If you are using SpamAssassin or Rspamd please see the links below. These provide information on how to install our plugin to get the best performance and catch rates from the DQS:

Blocking at the SMTP level is only suggested if you have a moderately high email volume (more than 200,000 emails per day), low computing resources, or if you do not use additional anti-spam software.

Conventions

  • This document assumes that your Postfix configuration directory is /etc/postfix. If this is not the case, change the path accordingly, where it is referenced.

  • When you see the word your_DQS_key you need to replace it with your actual DQS key. Failing to do so will prevent you from successfully querying the DQS.

    For example, assuming your key is aip7yig6sahg6ehsohn5shco3z, the following line:

	your_DQS_key.zen.dq.spamhaus.net

will become:

	aip7yig6sahg6ehsohn5shco3z.zen.dq.spamhaus.net
  • When you see the box below, it means that you need to enter the command on your shell:

	$ command
  • When you see the box below, it means that you need to enter the command on a shell with root privileges:

	# command

Configuration

To correctly configure Postfix, make changes to the main.cf file. This is usually located under /etc/postfix. Open the file and locate the section smtpd_recipient_restrictions. Configure it as follows:

smtpd_recipient_restrictions =
    ...
    reject_rbl_client your_DQS_key.zen.dq.spamhaus.net=127.0.0.[2..11]
    reject_rhsbl_sender your_DQS_key.dbl.dq.spamhaus.net=127.0.1.[2..99]
    reject_rhsbl_helo your_DQS_key.dbl.dq.spamhaus.net=127.0.1.[2..99]
    reject_rhsbl_reverse_client your_DQS_key.dbl.dq.spamhaus.net=127.0.1.[2..99]
    reject_rhsbl_sender your_DQS_key.zrd.dq.spamhaus.net=127.0.2.[2..24]
    reject_rhsbl_helo your_DQS_key.zrd.dq.spamhaus.net=127.0.2.[2..24]
    reject_rhsbl_reverse_client your_DQS_key.zrd.dq.spamhaus.net=127.0.2.[2..24]
    ...

We recommend putting these lines at the top of the smtpd_recipient_restrictions section.

To avoid leaking your DQS key in reject messages, insert this new directive in the same main.cf file:

rbl_reply_maps = hash:$config_directory/dnsbl-reply-map

Then, create a new file /etc/postfix/dnsbl-reply-map and put the following lines inside:

	your_DQS_key.zen.dq.spamhaus.net=127.0.0.[2..11]	554 $rbl_class $rbl_what blocked using ZEN - see https://www.spamhaus.org/query/ip/$client_address for details
	your_DQS_key.dbl.dq.spamhaus.net=127.0.1.[2..99]	554 $rbl_class $rbl_what blocked using DBL - see $rbl_txt for details
	your_DQS_key.zrd.dq.spamhaus.net=127.0.2.[2..24]	554 $rbl_class $rbl_what blocked using ZRD - domain too young

After that, issue:

	# postmap /etc/postfix/dnsbl-reply-map

and then:

	# /etc/init.d/postfix reload

or, if your system uses systemd:

	# systemctl reload postfix

You may want to keep an eye on your mailserver logs to make sure the rejection message it’s providing are indeed being rewritten as per /etc/postfix/dnsbl-reply-map and therefore your key is not being leaked.