Postscreen is a handy feature of Postfix 2.9 and on, if you want to prevent degrading the performance of your server box with frequent external invalid requests. It actually implements a set of basic tests before the remote server could even initiate SMTP transport.  It’s features are vast, and you can read about it here.

First, if you have Postfix < v2.9, you’ll need to upgrade it to a newer version, and one way is using this howto.

If done, insert a small config code at the end of main.cf:

postscreen_access_list = permit_mynetworks,
                        cidr:/etc/postfix/postscreen_access.cidr
postscreen_blacklist_action = drop
postscreen_dnsbl_action = enforce
postscreen_dnsbl_reply_map =
        pcre:$config_directory/postscreen_dnsbl_reply_map.pcre
postscreen_dnsbl_sites = zen.spamhaus.org*3
        b.barracudacentral.org*2
        bl.spameatingmonkey.net*2
        bl.spamcop.net
        dnsbl.sorbs.net
        psbl.surriel.com
        bl.mailspike.net
        swl.spamhaus.org*-4
postscreen_dnsbl_threshold = 3
postscreen_greet_action = enforce
postscreen_whitelist_interfaces = 127.0.0.1/32, static:all
postscreen_bare_newline_action = enforce
postscreen_bare_newline_enable = yes
postscreen_non_smtp_command_enable = yes
postscreen_pipelining_enable = yes
meta_directory = /etc/postfix
shlib_directory = no

The config aboove will do a moderate compliancy check of a mail server before it will allow it to start the SMTP transport.

There’s a whitelist file that needs to be at least touched, where you an actyally whitelist remote servers that will not go thru the postscreen checks. The matter is that this configuration enables greylisting, so your emails will initially delayed at least for the 1st trasport try, until postfix whitelists them in it’s database. So, I usually put gmail’s IPs here, because it’s real pain to until postfix tracks them all down:

vi /etc/postfix/postscreen_access.cidr and enter:

#gmail whitelist
64.18.0.0/20            permit
64.233.160.0/19         permit
66.102.0.0/20           permit
66.249.80.0/20          permit
72.14.192.0/18          permit
74.125.0.0/16           permit
173.194.0.0/16          permit
207.126.144.0/20        permit
209.85.128.0/17         permit
216.58.192.0/19         permit
216.239.32.0/19         permit

This is the current list of gmail’s IPs, but you can contact google on how to obtain an up to date. For my oppinion, there’s no signifficant need to update them manually, becaue posfix will eventually whitelist them on it’s own when a new smaller IP range comes up.

And now, let’s enable Postscreen. open master.cf and comment out the smtp transport line at the beginning, and remove comments from

smtp      inet  n       -       n       -       1       postscreen
smtpd     pass  -       -       n       -       -       smtpd
dnsblog   unix  -       -       n       -       0       dnsblog
tlsproxy  unix  -       -       n       -       0       tlsproxy

which are probably at the end of your master.cf line.

service postfix restart

and good luck!