Greylisting on RBL (DNS blacklist) for Postfix
Python
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
.gitignore
.travis.yml
README.md
pgl4rbl.conf
pgl4rbl.py
requirements-dev.txt
test_pgl4rbl.py

README.md

PGL4RBL: Greylisting on RBL (DNS blacklist) for Postfix

Build Status Coverage Status

This package implements a Postfix policy server that mixes two widely used techniques: greylisting and RBL (DNS blacklists). The idea is that SMTP clients that match a RBL get greylisted. Normal clients are not delayed (unlike a normal greylisting implementation), and RBL false positives do not cause problems (like when outright blocking them at the SMTP level).

More information can be found in this blog post.

Installation

Install pgl4rbl somewhere on the local Postfix filesystem, for instance:

cd /usr/local
git clone https://github.com/develersrl/pgl4rbl

Create the pgl4rbl user:

adduser --home=/var/spool/postfix/pgl4rbl --ingroup=nogroup --shell=/usr/sbin/nologin

Edit the configuration file (/usr/local/pgl4rbl/pgl4rbl.conf) as needed. All defaults are meant to be reasonable and correct, but you are welcome to change them if you want.

Now, tell Postfix to start pgl4rbl as a service, by editing /etc/postfix/master.cf and adding this line to it:

# greylisting on rbl
rbl_grey unix  -       n       n       -       0       spawn
        user=pgl4rbl argv=/usr/local/pgl4rbl/pgl4rbl.py --config /usr/local/pgl4rbl/pgl4rbl.conf

Then, in /etc/postfix/main.cf, within the section smptd_recipient_restrictions, add the following line:

check_policy_service unix:private/rbl_grey

Finally, reload postfix:

service postfix reload

Example of full anti-spam configuration

For instance, the following section shows a sample anti-spam configuration with several rules:

smtpd_recipient_restrictions =
        permit_mynetworks
        permit_sasl_authenticated
        permit_dnswl_client list.dnswl.org
        reject_rbl_client sbl.spamhaus.org
        reject_rbl_client psbl.surriel.com
        reject_unauth_destination
        reject_unlisted_recipient
        check_policy_service unix:private/rbl_grey

This is what happens, step by step:

  • If the client's IP is in mynetworks, mail is delivered.
  • If the client has authenticated, mail is delivered.
  • If the client's IP is in the whitelist, mail is delivered.
  • If the client's IP is in either the Spamhaus SBL or PSBL blacklists, the mail is rejected (500).
  • If the mail destination's domain is not directly handled by Postfix, mail is rejected (= disable relay).
  • If the mail destination's email is not a valid email address, mail is rejected.
  • Otherwise, the mail is handled by pgl4rbl; it will check whether the client's IP is in one of the configured RBLs

Choosing a Blacklist

The default configuration of pgl4rbl includes the following blacklists:

  • xbl.spamhaus.org: list of hijacked PCs (aka "zombies")
  • pbl.spamhaus.org: list of consumer IP ranges, that shouldn't run mail servers
  • bl.spamcop.net: list of IPs which sent spam (as reported by a large community of volunteers)
  • dnsbl.sorbs.net: list of IPs which sent spam to a set of honeypots / spam traps

In our experience, outright rejection of email through these blacklists would be too harsh, while their usage within pgl4rbl achieves a very good balance.