Postscreen is a handy feature of Postfix 2.9 and on, if you want to prevent degrading the performance of your server box with frequent external invalid requests. It actually implements a set of basic tests before the remote server could even initiate SMTP transport. It’s features are vast, and you can read about it here.
First, if you have Postfix < v2.9, you’ll need to upgrade it to a newer version, and one way is using this howto.
If done, insert a small config code at the end of main.cf:
postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/postscreen_access.cidr postscreen_blacklist_action = drop postscreen_dnsbl_action = enforce postscreen_dnsbl_reply_map = pcre:$config_directory/postscreen_dnsbl_reply_map.pcre postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*2 bl.spameatingmonkey.net*2 bl.spamcop.net dnsbl.sorbs.net psbl.surriel.com bl.mailspike.net swl.spamhaus.org*-4 postscreen_dnsbl_threshold = 3 postscreen_greet_action = enforce postscreen_whitelist_interfaces = 127.0.0.1/32, static:all postscreen_bare_newline_action = enforce postscreen_bare_newline_enable = yes postscreen_non_smtp_command_enable = yes postscreen_pipelining_enable = yes meta_directory = /etc/postfix shlib_directory = no
The config aboove will do a moderate compliancy check of a mail server before it will allow it to start the SMTP transport.
There’s a whitelist file that needs to be at least touched, where you an actyally whitelist remote servers that will not go thru the postscreen checks. The matter is that this configuration enables greylisting, so your emails will initially delayed at least for the 1st trasport try, until postfix whitelists them in it’s database. So, I usually put gmail’s IPs here, because it’s real pain to until postfix tracks them all down:
vi /etc/postfix/postscreen_access.cidr and enter:
#gmail whitelist 188.8.131.52/20 permit 184.108.40.206/19 permit 220.127.116.11/20 permit 18.104.22.168/20 permit 22.214.171.124/18 permit 126.96.36.199/16 permit 188.8.131.52/16 permit 184.108.40.206/20 permit 220.127.116.11/17 permit 18.104.22.168/19 permit 22.214.171.124/19 permit
This is the current list of gmail’s IPs, but you can contact google on how to obtain an up to date. For my oppinion, there’s no signifficant need to update them manually, becaue posfix will eventually whitelist them on it’s own when a new smaller IP range comes up.
And now, let’s enable Postscreen. open master.cf and comment out the smtp transport line at the beginning, and remove comments from
smtp inet n - n - 1 postscreen smtpd pass - - n - - smtpd dnsblog unix - - n - 0 dnsblog tlsproxy unix - - n - 0 tlsproxy
which are probably at the end of your master.cf line.
service postfix restart
and good luck!