Examining your log files reveals a critical pattern: while some connections from "unknown" hosts (those without reverse DNS) are being rejected by your current Postfix configuration (as seen in the first log block), others mysteriously slip through (second block). The key difference appears in how Postfix processes the HELO/EHLO commands.
Your smtpd_helo_restrictions contains reject_unknown_helo_hostname, which only triggers when:
- The client sends a HELO/EHLO hostname
- That hostname fails DNS verification
The spam that gets through likely either:
- Doesn't send HELO/EHLO at all (though your config requires it)
- Sends a syntactically valid but fake hostname that passes basic checks
Add this to your main.cf:
smtpd_client_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
check_client_access cidr:/etc/postfix/rbl_override,
reject_unknown_client_hostname,
reject_unauth_pipelining,
check_client_access pcre:/etc/postfix/unknown_ip_reject
Create /etc/postfix/unknown_ip_reject:
/^unknown\[/ REJECT Your IP has no reverse DNS
/^\[/ REJECT Your IP has no reverse DNS
For maximum protection, combine with realtime blacklists:
smtpd_client_restrictions =
[...existing rules...]
reject_rbl_client zen.spamhaus.org,
reject_rbl_client dnsbl.sorbs.net
After changes, run:
postmap /etc/postfix/unknown_ip_reject
postfix reload
Test with:
telnet your.mail.server 25
Trying x.x.x.x...
Connected to your.mail.server.
Escape character is '^]'.
220 your.mail.server ESMTP
QUIT
221 2.0.0 Bye
Connection closed by foreign host.
Since you're using Plesk, make sure to:
plesk bin mailserver --update-server
To prevent Plesk from overwriting your Postfix configurations during updates.
- ✔ Client restrictions before HELO phase
- ✔ PCRE patterns for unknown IP formats
- ✔ RBL integration
- ✔ Plesk compatibility measures
Nov 24 14:16:09 sof postfix/smtpd[8221]: connect from unknown[190.237.252.197]
Nov 24 14:16:18 sof postfix/smtpd[8221]: 9467B848368A: client=unknown[190.237.252.197]Your current configuration is inconsistently rejecting connections from IPs without reverse DNS (PTR records). While some get blocked by your HELO restrictions, others slip through during the SMTP transaction.
The issue occurs because:
- Your
reject_unknown_helo_hostnameonly checks during HELO/EHLO - The
unknown[]notation appears before HELO verification - Plesk's postfix integration may bypass some checks
1. Early Rejection with smtpd_client_restrictions
# Add to main.cf
smtpd_client_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
check_client_access regexp:/etc/postfix/block_unknown_ips,
reject_unknown_client_hostname,
permitCreate /etc/postfix/block_unknown_ips:
/^unknown$$.*$$$/ REJECT No reverse DNS2. Policy Server Alternative
For CentOS with Plesk:
# /etc/postfix/master.cf
smtpd_client_restrictions =
check_policy_service unix:private/policy
permit_mynetworks
permit_sasl_authenticated3. Postfix 2.9+ Deep Inspection
# Requires newer Postfix
smtpd_client_restrictions =
reject_unknown_reverse_client_hostname,
reject_unknown_client_hostnameVerify with:
postmap -q "unknown[1.2.3.4]" regexp:/etc/postfix/block_unknown_ips
postconf -n | grep smtpd_client_restrictionsAdd this to identify leaks:
# /etc/rsyslog.d/postfix.conf
:msg, contains, "connect from unknown" /var/log/postfix/unknown_conn.logThen create a monitoring script:
#!/bin/bash
tail -f /var/log/postfix/unknown_conn.log | while read line
do
ip=$(echo $line | grep -oP '(?<=unknown\[)[^\]]+')
echo "Leaked connection from $ip" | mail -s "Postfix Unknown IP Alert" admin@domain.com
done- Restart Postfix after changes:
systemctl restart postfix - Verify with:
postfix check - Test with:
telnet your.server 25