Postfix: Fighting Spam using a Real-Time Block List (RBL)
Posted by Wayne on Saturday, 1 February 2014
For those that administer postfix email servers that see high volumes of email, dealing with Spam can be quite a challenge. Initially I was relying on the server to do its own Spam checking with tools such as amavisd-new, spamassassin, etc. Which was working really well for the most part, but when the Spam volume gets high, performing all that processing, in the hundreds of thousands of emails, was putting unnecessary load on the server.
Enter Real-Time Black-hole lists or DNS Black-hole lists -- amongst other names -- which allow us to block suspected Spam before it is even processed by the server. I was originally against RBLs having had servers land on them and having to go through the annoyance of getting unlisted. There are even a few that I would consider outright extortion; asking you to pay a fee to expedite the un-listing process or a one time fee to never be listed again. That being said, the more reputable ones -- at the time I'm writing this, I'm thinking spamhaus, sorbs, spamcop. -- will remove you on request within 24 hours without demanding payment, and are quite effective.
How does a email server get listed?
There are several reasons a email server will get listed on a Real-time Black-hole List, some of which are:
Sending copious amounts of Spam. (Duh)
Not having a valid reverse DNS entry.
Not having a proper SPF record.
Server is in a Dynamic IP range.
Server is in the same subnet as a known and aggressive spammer.
The Server is new.
These are all pretty easy to fix, with the exception of the first one, Sending copious amounts of Spam. The only way to truly put an end to this is to make sure your system is secure, an ever ongoing process at best, and when compromised it can be hard to catch it in time to prevent getting listed. I suggest requesting AOL white list your servers; when it is approved any report from an AOL customer of Spam from your server will generate a email report, which will help catch any problems early as AOL is a prime target for Spam.
How do RBLs work?
Real-time Black-hole Lists are basically a Reverse DNS pointer which look something like this.
188.8.131.52.dnsbl.example.com. IN A 127.0.0.3
IN TXT "SPAMMER, Banish to Oblivion"
That should be a obvious enough of a fake IP, but thats it. The email server performs a reverse lookup with the appropriate RBLs info attached, and acts accordingly. Pretty simple!
How do I make Postfix use a RBL?
Configuring Postfix to use a Real-Time Black-hole List is extremely simple, once you have decided on which RBLs you wish to use. In your Postfix main.cf you should already have smtpd_recipient_restrictions configured, if you don't you may want to look into that before you go any further. Assuming you already have it set up, you can simply add a reject_rbl_client dnsrbl.example.net to the end of it.
Here are a few real entries you can add to the end of your smtpd_recipient_restrictions:
And that's sudo postfix reload
Your good to go!