Spamhaus Project Public Mirrors using Postfix

This details how to use the Public Mirrors with the Postfix MTA, including configuring rejections at the SMTP level.

NOTE: If you use Postfix with Rspamd or SpamAssassin, you should not configure rejections at the SMTP level. Instead, use a milter and let SpamAssassin or Rspamd do the filtering. We recommended this because both SpamAssassin and Rspamd should be viewed as an anti-spam framework i.e., they need all the relevant information relating to an email to utilize their auto-learning features, so they filter emails effectively.

Configuring a milter and integrating it with SpamAssassin or Rspamd with Postfix is outside this document’s scope. Please ask your systems integrator for assistance, should you need to do this.

Blocking at the SMTP level is only suggested if you have a moderately high email volume (more than 200,000 emails per day), low computing resources, or if you do not use additional anti-spam software.

Conventions

  • This document assumes that your Postfix configuration directory is /etc/postfix. If this is not the case, change the path accordingly, where it is referenced.

  • Whenever you see the box below, it means that you need to enter the command on your shell:

	$ command
  • Whenever you see the box below, it means that you need to enter the command on a shell with root privileges:

	# command

Configuration

To correctly configure Postfix, make changes to the main.cf file. Open the file and locate (or create) the section smtpd_recipient_restrictions. Configure it as follows:

smtpd_recipient_restrictions =
    ...
    reject_rbl_client zen.spamhaus.org=127.0.0.[2..11]
    reject_rhsbl_sender dbl.spamhaus.org=127.0.1.[2..99]
    reject_rhsbl_helo dbl.spamhaus.org=127.0.1.[2..99]
    reject_rhsbl_reverse_client dbl.spamhaus.org=127.0.1.[2..99]
    warn_if_reject reject_rbl_client zen.spamhaus.org=127.255.255.[1..255]
    ...

We recommend putting these lines at the top of the smtpd_recipient_restrictions section.

After that, issue a

	# /etc/init.d/postfix reload

or, if your system uses systemd

	# systemctl reload postfix

Using postscreen instead

An alternative to configuring DNSBL lookup inside postfix itself is relying on its postscreen daemon. A full explanation of why and when one would prefer using postscreen is beyond the scope of this document, but the short version is that postscreen can be used to reject SMTP sessions sourced by undesired emitters before involving the actual SMTP daemon, therefore freeing up resources that will only be used for “real traffic”. To correctly configure Postscreen, edit the main.cf file and insert the following line:

postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2..11]

After that, issue a

	# /etc/init.d/postfix reload

or, if your system uses systemd

	# systemctl reload postfix