Postfix Configuration - UCE Controls

Note: this web page is no longer maintained. It exists only to avoid breaking links in web pages that describe earlier versions of the Postfix mail system.

Introduction

Postfix offers a variety of parameters that limit the delivery of unsolicited commercial email (UCE).

By default, the Postfix SMTP server will accept mail only from or to the local network or domain, or to domains that are hosted by Postfix, so that your system can't be used as a mail relay to forward bulk mail from random strangers.

The text in this document describes how you can set up more detailed anti-UCE policies that prevent delivery of unwanted email altogether, for example with sendmail-style access lists or with RBL (real-time blackhole list) name servers.

Unless indicated otherwise, all parameters described here are in the main.cf file. If you change parameters of a running Postfix system, don't forget to issue a postfix reload command.

Header filtering
Body filtering
Client hostname/address restrictions
Require HELO (EHLO) command
HELO (EHLO) hostname restrictions
Require strict RFC 821-style envelope addresses
Sender address restrictions
Recipient address restrictions
ETRN command restrictions
Generic restrictions
Additional UCE control parameters

Header filtering

The header_checks parameter restricts what is allowed in message headers. Patterns are applied to entire logical message headers, even when a header spans multiple lines of text.

By default, the same header_checks patterns are used for primary message headers, for MIME headers (including headers at the start of multipart body parts), and for the headers at the beginning of attached email messages.

Default:

Allow anything in message headers.

Syntax:

Specify a list of zero or more lookup tables. Whenever a header matches a table, the action depends on the lookup result:

REJECT
REJECT text...: Reject the message, log the header and the optional text, and send the optional text to the originator.
OK: Skip all further header patterns for this header line.
IGNORE: Delete the header line from the message.
WARN
WARN text...: Log (but do not reject) the header with a warning, and log the optional text.
HOLD
HOLD text...: Place the message on the hold queue. Mail on hold can be inspected with the postcat command, and can be destroyed or taken off hold with the postsuper command. The optional text is logged together with the matched text.
DISCARD
DISCARD text...: Claim successful delivery and silently discard the message. The optional text is logged together with the matched text.
FILTER transport:nexthop: After the message is queued, send the entire message through a content filter. This requires different cleanup servers before and after the filter, with header/body checks turned off in the second cleanup server. More details about content filtering are in the Postfix FILTER_README file. This feature overrides the main.cf content_filter setting.

At present, specifying a header pattern with OK serves no useful purpose. A rule ending in OK affects only the header being matched. The next header may still result in a REJECT match, causing the mail still to be rejected.

Examples (main.cf):

header_checks = regexp:/etc/postfix/header_checks

header_checks = pcre:/etc/postfix/header_checks

Example (header_checks):

/^to: *friend@public\.com$/ REJECT

Body filtering

The body_checks parameter restricts what text is is allowed in message body lines.

Note: the message body is matched one line at a time. There is no multi-line concept as with message headers.

Default:

Allow anything in message body lines.

Syntax:

Specify a list of zero or more lookup tables. Whenever a body line matches a table, the action depends on the lookup result:

REJECT
REJECT text...: Reject the message, log the body line and the optional text, and send the optional text to the originator.
WARN
WARN text...: Log (but do not reject) the body line with a warning, and log the optional text.
OK: Skip all further body patterns for this body line.
IGNORE: Delete the body line from the message.
HOLD
HOLD text...: Place the message on the hold queue. Mail on hold can be inspected with the postcat command, and can be destroyed or taken off hold with the postsuper command. The optional text is logged together with the matched text.
DISCARD
DISCARD text...: Claim successful delivery and silently discard the message. The optional text is logged together with the matched text.
FILTER transport:nexthop: After the message is queued, send the entire message through a content filter. This requires different cleanup servers before and after the filter, with header/body checks turned off in the second cleanup server. More details about content filtering are in the Postfix FILTER_README file. This feature overrides the main.cf content_filter setting.

At present, specifying a pattern with OK serves no useful purpose. A rule ending in OK affects only the line being matched. The next line may still result in a REJECT match, causing the mail still to be rejected.

Examples (main.cf):

body_checks = regexp:/etc/postfix/body_checks

body_checks = pcre:/etc/postfix/body_checks

Client hostname/address restrictions

The smtpd_client_restrictions parameter restricts what clients this system accepts SMTP connections from.

By default, this restriction is applied when the client sends the RCPT TO command. In order to have the restriction take effect as soon as possible, specify smtpd_delay_reject = no in the Postfix main.cf configuration file. Doing so may cause unexpected results with poorly implemented client software.

Default:

smtpd_client_restrictions =

Allow SMTP connections from any client.

Syntax:

Specify a list of zero or more restrictions, separated by whitespace or commas. Restrictions are applied in the order as specified; the first restriction that matches wins.

In addition to restrictions that are specific to the client hostname or IP address, you may list here any restrictions based on the information passed with the HELO/EHLO command, on the sender address or on the recipient address. The HELO/EHLO, sender or recipient restrictions take effect only if smtpd_delay_reject = yes so that all restrictions are evaluated after the RCPT TO command.

Examples:

smtpd_client_restrictions = hash:/etc/postfix/access, reject_rbl_client relays.mail-abuse.org (paid service)

smtpd_client_restrictions = hash:/etc/postfix/access, reject_rbl_client relays.ordb.org (free service)

smtpd_sender_restrictions = hash:/etc/postfix/access, reject_rhsbl_sender dsn.rfc-ignorant.org (free service)

smtpd_client_restrictions = permit_mynetworks, reject_unknown_client

Restrictions:

reject_unknown_client
Reject the request when the client IP address has no PTR (address to name) record in the DNS, or when the PTR record does not have a matching A (name to address) record. The unknown_client_reject_code parameter specifies the response code to rejected requests (default: 450).

permit_mynetworks
Permit the request when the client IP address matches any network listed in $mynetworks.

reject_rbl_client domain.tld
Reject the request when the reversed client network address is listed with an A record under domain.tld. The maps_rbl_reject_code parameter specifies the response code for rejected requests (default: 554), the default_rbl_reply parameter specifies the default server reply, and the rbl_reply_maps parameter specifies tables with server replies indexed by RBL domain.

reject_rhsbl_client domain.tld
Reject the request when the client hostname is listed with an A record under domain.tld. See above for additional RBL related configuration parameters.

check_client_access maptype:mapname
maptype:mapname
Search the named access database for the client hostname, parent domains, client IP address, or networks obtained by stripping least significant octets.

permit
defer
reject
warn_if_reject
reject_unauth_pipelining
See generic restrictions.

Require HELO (EHLO) command

The smtpd_helo_required parameter determines if clients must send a HELO (or EHLO) command at the beginning of an SMTP session. Requiring this will stop some UCE software.

Default:: smtpd_helo_required = no; By default, the Postfix SMTP server does not require the use of HELO (EHLO).
Syntax:: Specify yes or no.
Example:: smtpd_helo_required = yes

HELO (EHLO) hostname restrictions

The smtpd_helo_restrictions parameter restricts what hostnames clients may send with the HELO (EHLO) command. Some UCE software can be stopped by being strict here.

Default:

smtpd_helo_restrictions =

By default, the Postfix SMTP server accepts any garbage in the HELO (EHLO) command. There is a lot of broken or misconfigured software on the Internet.

Syntax:

Specify a list of zero or more restrictions, separated by whitespace or commas. Restrictions are applied in the order as specified; the first restriction that matches wins.

In addition to restrictions that are specific to HELO (EHLO) command parameters, you may list here any restrictions on the client hostname , client address , sender address or recipient address. The sender or recipient restrictions take effect only if smtpd_delay_reject = yes so that all restrictions are evaluated after the RCPT TO command.

Example:

smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname

Restrictions:

reject_invalid_hostname
Reject the request when the client HELO or EHLO parameter has a bad hostname syntax. The invalid_hostname_reject_code specifies the response code to rejected requests (default: 501).

reject_unknown_hostname
Reject the request when the hostname in the client HELO (EHLO) command has no DNS A or MX record. The unknown_hostname_reject_code specifies the response code to rejected requests (default: 450).

reject_non_fqdn_hostname
Reject the request when the hostname in the client HELO (EHLO) command is not in fully-qualified domain form, as required by the RFC. The non_fqdn_reject_code specifies the response code to rejected requests (default: 504).

check_helo_access maptype:mapname
maptype:mapname
Search the named access database for the HELO hostname or parent domains.

permit
defer
reject
warn_if_reject
reject_unauth_pipelining
See generic restrictions.

Require strict RFC 821-style envelope addresses

The strict_rfc821_envelopes parameter controls how tolerant Postfix is with respect to addresses given in MAIL FROM or RCPT TO commands. Unfortunately, the widely-used Sendmail program tolerates lots of non-standard behavior, so a lot of software expects to get away with it. Being strict to the RFC not only stops unwanted mail, it also blocks legitimate mail from poorly-written mail applications.

Default:: strict_rfc821_envelopes = no; By default, the Postfix SMTP server accepts any address form that it can make sense of, including address forms that contain RFC 822-style comments, or addresses not enclosed in <>. There is a lot of broken or misconfigured software out there on the Internet.
Example:: strict_rfc821_envelopes = yes

Sender address restrictions

The smtpd_sender_restrictions parameter restricts what sender addresses this system accepts in MAIL FROM commands.

Default:

smtpd_sender_restrictions =

By default, the Postfix SMTP server accepts any sender address.

Syntax:

Specify a list of zero or more restrictions, separated by whitespace or commas. Restrictions are applied in the order as specified; the first restriction that matches wins.

In addition to restrictions that are specific to sender mail addresses, you can also specify restrictions based on the information passed with the HELO/EHLO command , on the client hostname or network address , or on the recipient address . The recipient restrictions take effect only if smtpd_delay_reject = yes so that all restrictions are evaluated after the RCPT TO command.

Example:

smtpd_sender_restrictions = hash:/etc/postfix/access, reject_unknown_sender_domain

Restrictions:

reject_unknown_sender_domain
Reject the request when the sender mail address has no DNS A or MX record. The unknown_address_reject_code parameter specifies the response code for rejected requests (default: 450). The response is always 450 in case of a temporary DNS error.

reject_rhsbl_sender domain.tld
Reject the request when the sender mail address domain is listed with an A record under domain.tld. The maps_rbl_reject_code parameter specifies the response code for rejected requests (default: 554), the default_rbl_reply parameter specifies the default server reply, and the rbl_reply_maps parameter specifies tables with server replies indexed by RBL domain.

check_sender_access maptype:mapname
maptype:mapname
Search the named access database for the sender mail address, sender domain and parent domain, or localpart@.

reject_non_fqdn_sender
Reject the request when the address in the client MAIL FROM command is not in fully-qualified domain form. The non_fqdn_reject_code specifies the response code to rejected requests (default: 504).

reject_sender_login_mismatch
Reject the request when $smtpd_sender_owner_maps specifies an owner for the MAIL FROM address, but the client is not (SASL) logged in as that MAIL FROM address owner; or when the client is (SASL) logged in, but the client login name doesn't own the MAIL FROM address according to $smtpd_sender_login_maps.

permit
defer
reject
warn_if_reject
reject_unauth_pipelining
See generic restrictions.

Recipient address restrictions

The smtpd_recipient_restrictions parameter restricts what recipient addresses this system accepts in RCPT TO commands.

Default:

smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination

By default, the Postfix SMTP server relays mail:

from trusted clients whose IP address matches $mynetworks to any destination,
from untrusted clients to destinations that match $relay_domains or a subdomain thereof, except for addresses that contain sender-specified routing (user@elsewhere@domain).

In addition to the above, the Postfix SMTP server by default accepts mail for which Postfix is the final destination:

to destinations that match $inet_interfaces,
to destinations that match $mydestination,
to destinations that match $virtual_alias_domains,
to destinations that match $virtual_mailbox_domains.

Syntax:

Specify a list of zero or more restrictions, separated by whitespace or commas. Restrictions are applied in the order as specified; the first restriction that matches wins.

In addition to restrictions that are specific to recipient mail addresses, you can also specify restrictions based on the sender mail address, on the information passed with the HELO/EHLO command , and on the client hostname or network address .

Example:

smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination

Note: you must specify at least one of the following restrictions: reject, defer, defer_if_permit, or reject_unauth_destination. Postfix will refuse to receive mail otherwise.

Restrictions:

permit_auth_destination
Permit the request when one of the following is true:

the resolved destination address matches $relay_domains or a subdomain thereof, and the address contains no sender-specified routing (user@elsewhere@domain),
Postfix is the final destination: any destination that matches $mydestination, $inet_interfaces, $virtual_alias_domains, or $virtual_mailbox_domains.

reject_unauth_destination
Reject the request unless one of the following is true:

the resolved destination address matches $relay_domains or a subdomain thereof, and the address contains no sender-specified routing (user@elsewhere@domain),
Postfix is the final destination: any destination that matches $mydestination, $inet_interfaces, $virtual_alias_domains, or $virtual_mailbox_domains.
The relay_domains_reject_code parameter specifies the response code for rejected requests (default: 554).

permit_mx_backup
Permit the request when the local mail system is MX host for the resolved destination. This includes the case that the local mail system is the final destination. However, the SMTP server will not forward mail with addresses that have sender-specified routing information (example: user@elsewhere@domain),
Use the optional permit_mx_backup_networks parameter to also require that the primary MX hosts match a list of network blocks.
Relevant configuration parameters: permit_mx_backup_networks, $mydestination, $inet_interfaces.

check_recipient_access maptype:mapname
maptype:mapname
Search the named access database for the resolved destination address, recipient domain or parent domain, or localpart@.

check_recipient_maps
Reject the request when the recipient address is not listed in one of the following lookup tables:

Recipient domain matches Recipient lookup table
$mydestination or $inet_interfaces $local_recipient_maps
$virtual_alias_domains $virtual_alias_maps
$virtual_mailbox_domains $virtual_mailbox_maps
$relay_domains $relay_recipient_maps

Note 1: a null $local_recipient_maps or $relay_recipient_maps setting means that no recipient check is done for the corresponding domains.
Note 2: Postfix applies an implicit check_recipient_maps restriction at the end of all recipient restrictions.

reject_unknown_recipient_domain
Reject the request when the recipient mail address has no DNS A or MX record. The unknown_address_reject_code parameter specifies the response code for rejected requests (default: 450). The response is always 450 in case of a temporary DNS error.

reject_rhsbl_recipient domain.tld
Reject the request when the recipient mail address domain is listed with an A record under domain.tld. The maps_rbl_reject_code parameter specifies the response code for rejected requests (default: 554), the default_rbl_reply parameter specifies the default server reply, and the rbl_reply_maps parameter specifies tables with server replies indexed by RBL domain.

reject_non_fqdn_recipient
Reject the request when the address in the client RCPT TO command is not in fully-qualified domain form. The non_fqdn_reject_code specifies the response code to rejected requests (default: 504).

permit
defer
reject
warn_if_reject
reject_unauth_pipelining
See generic restrictions.

Recipient domain matches	Recipient lookup table
$mydestination or $inet_interfaces	$local_recipient_maps
$virtual_alias_domains	$virtual_alias_maps
$virtual_mailbox_domains	$virtual_mailbox_maps
$relay_domains	$relay_recipient_maps

ETRN command restrictions

Not really an UCE restriction, the smtpd_etrn_restrictions parameter restricts what domains can be specified in ETRN commands, and what clients can issue ETRN commands.

Default:

smtpd_etrn_restrictions =

By default, the Postfix SMTP server accepts any ETRN command from any client.

Syntax:

Specify a list of zero or more restrictions, separated by whitespace or commas. Restrictions are applied in the order as specified; the first restriction that matches wins.

In addition to restrictions that are specific to ETRN domain names, you can also specify restrictions based on the information passed with the HELO/EHLO command , and on the client hostname or network address .

Example:

smtpd_etrn_restrictions = permit_mynetworks, hash:/etc/postfix/etrn_access, reject

Restrictions:

check_etrn_access maptype:mapname
maptype:mapname
Search the named access database for the domain specified in the ETRN command, or its parent domains. Reject the request if the result is REJECT text... or "[45]XX text". Permit the request if the result is OK or RELAY or all-numerical. Otherwise, treat the result as another list of UCE restrictions. The access_map_reject_code parameter specifies the result code for rejected requests (default: 554).

permit
defer
reject
warn_if_reject
reject_unauth_pipelining
See generic restrictions.

Generic restrictions

The following restrictions can use used for client hostnames or addresses, for HELO (EHLO) hostnames, for sender mail addresses and for recipient mail addresses.

Restrictions:

permit: Permit the request. This restriction is useful at the end of a restriction list, to make the default policy explicit.
defer: Defer the request. The client is told to try again later. This restriction is useful at the end of a restriction list, to make the default policy explicit.
reject: Reject the request. This restriction is useful at the end of a restriction list, to make the default policy explicit. The reject_code configuration parameter specifies the response code to rejected requests (default: 554).
warn_if_reject: Change the meaning of the next restriction, so that it logs a warning instead of rejecting a request (look for logfile records that contain "reject_warning"). This is useful for testing new restrictions in a "live" environment without risking unnecessary loss of mail.
reject_unauth_pipelining: Reject the request when the client sends SMTP commands ahead of time without knowing that Postfix actually supports SMTP command pipelining. This stops mail from bulk mail software that improperly uses SMTP command pipelining to speed up deliveries.

Additional UCE control parameters

default_rbl_reply: The default reply template that is used when an SMTP client request is blocked by a reject_rbl or reject_rhsbl restriction. The reply template is subjected to exactly one level of $name macro substitution as described below. The smtpd_expansion_filter configuration parameter specifies the set of characters that are allowed in $name macro expansions. Characters outside the allowed set are replaced by "_".

Default:
default_rbl_reply = $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using $rbl_domain${rbl_reason?; $rbl_reason}
Instead of the form $name you can also specify ${name} or $(name).

Macro expansion syntax:

$client
The client hostname and IP address, formatted as name[address].
$client_name
The client hostname, or unknown.
$client_address
The client IP address.
$helo_name
The hostname given in the HELO or EHLO command, or the empty string when no HELO or EHLO command was given.
$sender
The sender address, or <> in case of the null address.
$sender_name
The sender address localpart, or <> in case of the null address.
$sender_domain
The sender address domain, or the empty string when no domain is available.
$recipient
The recipient address, or <> in case of the null address.
$recipient_name
The recipient address localpart, or <> in case of the null address.
$recipient_domain
The recipient address domain, or the empty string when no domain is available.
$rbl_what
The blacklisted entity: an IP address, a hostname, a domain name, or an email address whose domain is blacklisted.
$rbl_domain
The RBL domain where $rbl_what is blacklisted with an A record.
$rbl_reason
The reason why $rbl_what is blacklisted, or the empty string when no information is available.
$rbl_class
The blacklisted entity type: Client host, Helo command, Sender address, or Recipient address.
$rbl_code
The numerical server reply code, as specified with the maps_rbl_reject_code configuration parameter (default: 554).
All other text
Copied without change, with the exception of conditional macro expansion as described below.

Conditional macro expansion syntax:

${name?text}
expands to text if $name is not empty.
${name:text}
expands to text if $name is empty.

permit_mx_backup_networks

Restrict the use of the permit_mx_backup relay control feature to destinations whose primary MX hosts match a list of network blocks.

Default:

permit_mx_backup_networks =

That is, all networks are authorized by default.

Syntax:

Specify a list of network blocks in CIDR (network/mask) notation, for example:

permit_mx_backup_networks = 168.100.0.0/16

You can also specify the absolute pathname of a pattern file instead of listing the patterns in the main.cf file.

rbl_reply_maps

This parameter specifies lookup tables with RBL reply templates indexed by RBL domain name. If no template is found, the default_rbl_reply template is used instead.

Default:

rbl_reply_maps =

By default, Postfix always uses the default_rbl_reply template.

Syntax:

Specify zero or more type:name lookup tables, separated by whitespace and/or commas. For the syntax of the template reply strings, see the default_rbl_reply parameter description.

relay_domains

This parameter controls the behavior of the reject_unauth_destination and permit_auth_destination restrictions that can appear as part of a recipient address restriction list.

Default:

relay_domains = $mydestination

By default, the Postfix SMTP server relays mail:

from trusted clients whose IP address matches $mynetworks,
from untrusted clients to destinations that match $relay_domains or a subdomain thereof, except for addresses that contain sender-specified routing (user@elsewhere@domain).

Syntax:

Specify zero or more domain names, /file/name patterns and/or type:name lookup tables, separated by whitespace and/or commas. A /file/name is replaced by its contents; type:name requests that table lookup is done instead of string comparison.

A host or destination address matches $relay_domains when its name or parent domain matches any of the names, files or lookup tables listed in $relay_domains.

smtpd_sender_login_maps

This parameter specifies ownership of MAIL FROM addresses, as used by the reject_sender_login_mismatch sender address restriction.

Default:

smtpd_sender_login_maps =

Syntax:

Specify zero or more type:name lookup tables, separated by whitespace and/or commas. The maps are searched in the specified order. Regexp tables are allowed.

Each map entry specifies a sender address and the login name that owns the address. The search order is:

user@domain owner: This form has the highest precedence.
user owner: This matches user@site when site is equal to $myorigin, when site is listed in $mydestination, or when it is listed in $inet_interfaces.
@domain owner: This matches every address in the specified domain, and has the lowest precedence.