Postfix Configuration - UCE Controls

Introduction

Postfix offers a variety of parameters that limit the delivery of unsolicited commercial email (UCE).

By default, the Postfix SMTP server will accept mail only from or to the local network or domain, or to domains that are hosted by Postfix, so that your system can't be used as a mail relay to forward bulk mail from random strangers.

The text in this document describes how you can set up more detailed anti-UCE policies that prevent delivery of unwanted email altogether, for example with sendmail-style access lists or with RBL (real-time blackhole list) name servers.

Unless indicated otherwise, all parameters described here are in the main.cf file. If you change parameters of a running Postfix system, don't forget to issue a postfix reload command.

Header filtering
Client hostname/address restrictions
Require HELO (EHLO) command
HELO (EHLO) hostname restrictions
Require strict RFC 821-style envelope addresses
Sender address restrictions
Recipient address restrictions
ETRN command restrictions
Generic restrictions
Additional UCE control parameters

Header filtering

The header_checks parameter restricts what is allowed in message headers.

Default:

Allow anything in message headers.

Syntax:

Specify a list of zero or more lookup tables. Whenever a header matches a table, the action depends on the lookup result:

REJECT: Reject the message, and log the header.
REJECT text...: As above, and also send the text to the originator.
IGNORE: Delete the header from the message.
WARN: Log (but do not reject) the header with a warning.

At present, specifying a header pattern with OK serves no useful purpose. A rule ending in OK affects only the header being matched. The next header may still result in a REJECT match, causing the mail still to be rejected.

Examples (main.cf):

header_checks = regexp:/etc/postfix/header_checks

header_checks = pcre:/etc/postfix/header_checks

Example (header_checks):

/^to: *friend@public\.com$/ REJECT

Client hostname/address restrictions

The smtpd_client_restrictions parameter restricts what clients this system accepts SMTP connections from.

By default, this restriction is applied when the client sends the RCPT TO command. In order to have the restriction take effect as soon as possible, specify smtpd_delay_reject = no in the Postfix main.cf configuration file. Doing so may cause unexpected results with poorly implemented client software.

Default:: smtpd_client_restrictions =; Allow SMTP connections from any client.
Syntax:: Specify a list of zero or more restrictions, separated by whitespace or commas. Restrictions are applied in the order as specified; the first restriction that matches wins.
Examples:: smtpd_client_restrictions = hash:/etc/postfix/access, reject_maps_rbl; smtpd_client_restrictions = permit_mynetworks, reject_unknown_client

Require HELO (EHLO) command

The smtpd_helo_required parameter determines if clients must send a HELO (or EHLO) command at the beginning of an SMTP session. Requiring this will stop some UCE software.

Default:: smtpd_helo_required = no

HELO (EHLO) hostname restrictions

The smtpd_helo_restrictions parameter restricts what hostnames clients may send with the HELO (EHLO) command. Some UCE software can be stopped by being strict here.

By default, this restriction is applied when the client sends the RCPT TO command. In order to have the restriction take effect as soon as possible, specify smtpd_delay_reject = yes in the Postfix main.cf configuration file. Doing so may cause unexpected results with poorly implemented client software.

Default:: smtpd_helo_restrictions =

Require strict RFC 821-style envelope addresses

The strict_rfc821_envelopes parameter controls how tolerant Postfix is with respect to addresses given in MAIL FROM or RCPT TO commands. Unfortunately, the widely-used Sendmail program tolerates lots of non-standard behavior, so a lot of software expects to get away with it. Being strict to the RFC not only stops unwanted mail, it also blocks legitimate mail from poorly-written mail applications.

Default:: strict_rfc821_envelopes = no

Sender address restrictions

The smtpd_sender_restrictions parameter restricts what sender addresses this system accepts in MAIL FROM commands.

By default, this restriction is applied when the client sends the RCPT TO command. In order to have the restriction take effect as soon as possible, specify smtpd_delay_reject = yes in the Postfix main.cf configuration file. Doing so may cause unexpected results with poorly implemented client software.

Default:: smtpd_sender_restrictions =

Recipient address restrictions

The smtpd_recipient_restrictions parameter restricts what recipient addresses this system accepts in RCPT TO commands.

Default:: smtpd_recipient_restrictions = permit_mynetworks, check_relay_domains

ETRN command restrictions

Not really an UCE restriction, the smtpd_etrn_restrictions parameter restricts what domains can be specified in ETRN commands, and what clients can issue ETRN commands.

Default:: smtpd_etrn_restrictions =

Generic restrictions

The following restrictions can use used for client hostnames or addresses, for HELO (EHLO) hostnames, for sender mail addresses and for recipient mail addresses.

Restrictions:

permit: Permit the request. This restriction is useful at the end of a restriction list, to make the default policy explicit.
reject: Reject the request. This restriction is useful at the end of a restriction list, to make the default policy explicit. The reject_code configuration parameter specifies the response code to rejected requests (default: 554).
warn_if_reject: Change the meaning of the next restriction, so that it logs a warning instead of rejecting a request (look for logfile records that contain "reject_warning"). This is useful for testing new restrictions in a "live" environment without risking unnecessary loss of mail.
reject_unauth_pipelining: Reject the request when the client sends SMTP commands ahead of time without knowing that Postfix actually supports SMTP command pipelining. This stops mail from bulk mail software that improperly uses SMTP command pipelining to speed up deliveries.

Additional UCE control parameters

permit_mx_backup_networks

Restrict the use of the permit_mx_backup relay control feature to destinations whose primary MX hosts match a list of network blocks.

Default:

permit_mx_backup_networks =

That is, all networks are authorized by default.

Syntax:

Specify a list of network blocks in CIDR (network/mask) notation, for example:

permit_mx_backup_networks = 168.100.0.0/16

You can also specify the absolute pathname of a pattern file instead of listing the patterns in the main.cf file.

maps_rbl_domains

This parameter controls the behavior of the reject_maps_rbl restriction that can appear as part of a client hostname/address restriction list.

Default:

maps_rbl_domains = blackholes.mail-abuse.org

Note: RBL lookups are disabled by default.

Syntax:

Zero or more DNS domains that blacklist client IP addresses. A host is blacklisted when its reversed IP address is listed as a subdomain under any of the domains listed in $maps_rbl_domains.

relay_domains

This parameter controls the behavior of the check_relay_domains, reject_unauth_destination and permit_auth_destination restrictions that can appear as part of a recipient address restriction list.

Default:

relay_domains = $mydestination

By default, the Postfix SMTP server relays mail:

from trusted clients whose IP address matches $mynetworks,
from trusted clients whose hostname matches $relay_domains or a subdomain thereof,
from untrusted clients to destinations that match $relay_domains or a subdomain thereof, except for addresses that contain sender-specified routing (user@elsewhere@domain).

Syntax:

Specify zero or more domain names, /file/name patterns and/or type:name lookup tables, separated by whitespace and/or commas. A /file/name is replaced by its contents; type:name requests that table lookup is done instead of string comparison.

A host or destination address matches $relay_domains when its name or parent domain matches any of the names, files or lookup tables listed in $relay_domains.

smtpd_sender_login_maps

This parameter specifies ownership of MAIL FROM addresses, as used by the reject_sender_login_mismatch sender address restriction.

Default:

smtpd_sender_login_maps =

Syntax:

Specify zero or more type:name lookup tables, separated by whitespace and/or commas. The maps are searched in the specified order. Regexp tables are allowed.

Each map entry specifies a sender address and the login name that owns the address. The search order is:

user@domain owner: This form has the highest precedence.
user owner: This matches user@site when site is equal to $myorigin, when site is listed in $mydestination, or when it is listed in $inet_interfaces.
@domain owner: This matches every address in the specified domain, and has the lowest precedence.