Configuring Postfix RBL Checks: How to Properly Enable Spamhaus and SpamCop Blacklist Filters


9 views

When implementing RBL (Real-time Blackhole List) checks in Postfix, it's crucial to understand the proper placement and syntax of restrictions. The issue described typically occurs when RBL checks are incorrectly configured in the submission port.

The existing submission service configuration shows several important security settings but lacks proper RBL integration. The critical section is:

smtpd_recipient_restrictions=reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
permit_sasl_authenticated,
reject

RBL checks should be added to smtpd_recipient_restrictions, but with careful ordering:

smtpd_recipient_restrictions=
    reject_non_fqdn_recipient,
    reject_unknown_recipient_domain,
    reject_rbl_client sbl-xbl.spamhaus.org,
    reject_rbl_client bl.spamcop.net,
    permit_sasl_authenticated,
    reject
  • Place RBL checks before permit_sasl_authenticated
  • Ensure each RBL service is on its own line for clarity
  • Test with postconf -n after changes

If logs remain empty after changes:

  1. Check Postfix debug level: postconf -d | grep debug
  2. Increase verbosity: postconf -e debug_peer_level=2
  3. Restart Postfix: systemctl restart postfix

For more granular control, consider using postscreen in main.cf:

postscreen_access_list = permit_mynetworks
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = sbl-xbl.spamhaus.org*2,
                         bl.spamcop.net*1

When using multiple RBLs:

  • Monitor DNS query times with dig sbl-xbl.spamhaus.org
  • Consider local DNS caching (unbound or dnsmasq)
  • Add timeout: smtpd_client_connection_rate_limit = 30

Verify RBL functionality with:

postmap -q 127.0.0.2 sbl-xbl.spamhaus.org

(Should return 127.0.0.2 if working properly)

When implementing RBL (Realtime Blackhole List) filtering in Postfix, many administrators encounter issues where mail clients appear to hang during submission. The root cause typically lies in either incorrect parameter placement or missing essential configuration elements.

For a working RBL setup in Postfix, you need to modify the smtpd_recipient_restrictions parameter in your main.cf or master.cf file. The correct way to implement this would be:

smtpd_recipient_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination,
    reject_rbl_client sbl-xbl.spamhaus.org,
    reject_rbl_client bl.spamcop.net,
    reject_rhsbl_sender dbl.spamhaus.org,
    check_policy_service unix:private/policy,
    permit

Key points to remember when configuring RBL checks:

  • Always place RBL checks after authentication and network permission rules
  • Include a final permit statement as the last entry
  • Test each RBL service individually before combining them
  • Monitor your mail logs for false positives

If your mail client hangs during submission:

# Check Postfix debug output
postconf -vv
postfix check
tail -f /var/log/mail.log

Common solutions include:

# Ensure proper DNS resolution
apt-get install dnsutils
dig sbl-xbl.spamhaus.org

For high-volume mail servers, consider these optimizations:

# In main.cf
smtpd_client_connection_rate_limit = 100
anvil_rate_time_unit = 60s
smtpd_error_sleep_time = 10s