How-To: Fight SPAM with Postfix RBL

2 minute read

Spam, spam everywhere! If you are hosting your own mail server, fighting spam can become tricky. Antispam solutions do catch a fair amount of them, but still many spam email can still make their way through.

RBL (Real-time Blackhole) is a database of known spammy IPs which is accessible over DNS. Depending on the response received from the DNS server, the IP is classified as spammy or not.

This tutorial will show you how to set up RBL with postfix.

We are not going to cover how to install and set up postfix here. If you do not have a working postfix setup yet, you could check How-To: Virtual Emails Accounts With Postfix And Dovecot.

Now that you have a working postfix setup, let’s talk at what we want to achieve…. Basically, the idea behind RBL is that we want to reject emails upon reception if they are coming from an IP which is known to be spammy.</br >In Postfix, this basically happens in the smtpd_client_restrictions config entry which resides in /etc/postfix/main.cf .

There, we will add a few reject_rbl_client entries that will take care of rejecting a client connection if it is blacklisted by one of the service.

smtpd_client_restrictions = permit_mynetworks,
        permit_sasl_authenticated,
        reject_unauth_destination,
        reject_rbl_client zen.spamhaus.org,
        reject_rbl_client bl.spamcop.net,
        reject_rbl_client cbl.abuseat.org,
        permit

And finally, restart you mail server to take the new settings into account:

/etc/init.d/postfix restart

Let’s go over the settings. In this case, I have chosen to use zen.spamhaus.org first, bl.spamcop.net second and finally cbl.abuseat.org.

Essentially, what is going to happen given the set of rules below, is that email sent from my network will be accepted with no checks. Same goes to authenticated users (e.g email account/password). If the email is neither sent by my network or by an email account, we reject all email which destination is not known to m, e.g no relaying (reject_unauth_destination). At that stage, the email that have not matched any of the previous rules are basically email sent to one hosted mail domain, this is where we are going to apply the RBL filter and reject emails coming from blacklisted clients.

If it passes all 3 RBL filters, the email will be allowed to go through…. and go through the next steps (antispam, antivirus…)

Using RBL is really efficient and pretty lightweight. All it take is some DNS queries and if you were going to receive a lot of spam email from the same client, this DNS entries will be cached in your (local) DNS. To get some figures on how many emails get caught through RBL, on a server that 90% of the email rejected, 98% of them are from RBL, the rest is relay being denied!

You can find check this list of DNS Blacklist services.

Enjoy your (almost) spam free email experience!