digitalFAQ.com Forum - Edit Postfix to use DNS blacklists, block spam without SpamAssassin or Amavis

Spam filters are nice, but can consumer 100MB or more of your server RAM. If you have a big server, with 1GB or more of RAM all for yourself, great! If you have a small budget VPS, that can tank your entire setup. Not great! In another post, I just discussed how ClamAV and Amavis can be disabled to save more than 150MB of memory. However, that doesn't mean you just have to live with spam. Use DNSBL!

Using your favorite text editor (I'm using vi on my Ubuntuo 10.10 VPS), you'll simply edit one file, then disable the unneeded services via command-line.
Remember your basic vi commands:
Press i to edit the text file.
Press ESC to exit edit mode.
After escaping, type :w to save changes.
Then :q to quit the editor.

To edit the Postfix configuration file, ype this into your shell (SSH) console window:

Code:

vi /etc/postfix/main.cf

Find the line that has this:

Code:

smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination smtpd_tls_security_level = may

and add

Code:

reject_rbl_client zen.spamhaus.org

which gives you a line that now looks like this:

Code:

smtpd_recipient_restrictions = reject_rbl_client zen.spamhaus.org, permit_mynetworks, permit_sasl_authenticated, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination smtpd_tls_security_level = may

In this example, I added a single DNSBL entry: zen.spamhaus.org.
However, you can added more. Just be aware that not all DNSBL are safe to use, and will end up blocking some degree of legitimate content. Tread carefully, tread lightly. Don't be a DNSBL junkie, or you could find yourself with an empty inbox (which may mean missed business, missed contacts from friends/family, etc).

A "more" entry might look like this:

Code:

smtpd_recipient_restrictions = reject_rbl_client zen.spamhaus.org, reject_rbl_client 2.0.0.127.b.barracudacentral.org, permit_mynetworks, permit_sasl_authenticated, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination smtpd_tls_security_level = may

Note that "reject_rbl_client" is repeated for each new entry, and then separated by a comma.

After your editing is done, restart postfix. Type this into SSH:

Code:

/etc/init.d/postfix restart

If you see this, you succeeded in making correct changes:

Code:

 * Stopping Postfix Mail Transport Agent postfix ( OK )

 * Starting Postfix Mail Transport Agent postfix ( OK )

If you edited the code improperly, such as not keeping all code on a single line, you may end up with an error message like this:

Code:

 * Stopping Postfix Mail Transport Agent postfix

  postfix: fatal: /etc/postfix/main.cf, line 54: missing '=' after attribute name: "reject_rbl_client zen.spamhaus.org,"

Edit code as needed to fix your mistake.

And that's it. Very easy. :thumb:

A list of all possible DNS blacklists can be found at Wikipedia: http://en.wikipedia.org/wiki/Compari...DNS_blacklists
Though I'm not a big Wikipedia fan, this page does seem to be well maintained. Do note that quite a few DNSBL are pretty terrible, dumping legitimate mail and missing spam. If I had to suggest the best DNSBL, I'd look at Spamhaus (zen), Barracuda (register on the Barricuda site), UCE Protect (L2), and SORBS (recent). The goal is to use as few DNSBL as possible, while also blocking at least 95% of spam.

And, of course, if you run into spam that can all be traced back to specific nuisance IP addresses, you can always use your Firewall.

Hope this helps. :cool:

And most important, USE A GOOD HOST!
See our list here: http://www.digitalfaq.com/forum/web-...-best-web.html