Postfix

Postfix

There are various ways to configure Postfix with Guardian Mail. The following is our preferred method.

Edit /etc/postfix/main.cf

Add the following in the “smtpd_recipient_restrictions” parameter. It should be placed after “reject_unauth_destination“.

smtpd_recipient_restrictions =
    ...
    reject_unauth_destination
    # Check rDNS in domain blacklist (optional)
    reject_rhsbl_client <APIKEY>.dblack.mail.abusix.zone
    # Check HELO/EHLO in domain blacklist (optional)
    reject_rhsbl_helo <APIKEY>.dblack.mail.abusix.zone
    # Check FROM domain in blacklist (optional)
    reject_rhsbl_sender <APIKEY>.dblack.mail.abusix.zone
    # Check connecting IP in whitelist (optional)
    # permit_dnswl_client entries should be placed before any reject directives
    # that want to skip, but should always be before any reject_rbl_client
    # entries to ensure that any IP listed on the whitelist not rejected.
    permit_dnswl_client <APIKEY>.white.mail.abusix.zone
    # Reject any IP listed in the blacklist
    reject_rbl_client <APIKEY>.combined.mail.abusix.zone

rbl_reply_maps = texthash:/etc/postfix/rbl_reply_map

Replace <APIKEY> with “Your API key” from your account in app.abusix.com.

Next, to prevent your API key from being leaked, create /etc/postfix/rbl_reply_map with the following:

<APIKEY>.combined.mail.abusix.zone        $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using Guardian Mail${rbl_reason?; $rbl_reason}
<APIKEY>.dblack.mail.abusix.zone        $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using Guardian Mail${rbl_reason?; $rbl_reason}

Replace <APIKEY> with “Your API key” from your account in app.abusix.com.

If you are using Postscreen, you can omit the “reject_rbl_client” entry and instead add:

postscreen_dnsbl_reply_map = texthash:/etc/postfix/postscreen_dnsbl_reply_map
postscreen_dnsbl_sites = <APIKEY>.combined.mail.abusix.zone

Replace <APIKEY> with “Your API key” from your account in app.abusix.com.

Then to prevent your API key from leaking, create /etc/postfix/postscreen_dnsbl_reply_map, which should contain the following:

<APIKEY>.combined.mail.abusix.zone                mail.abusix.zone

Replace <APIKEY> with “Your API key” from your account in app.abusix.com.

Then reload Postfix to activate this configuration.