Selective Domain Filtering with Postfix and a SPAM Filtering Service

by Branden Williams on October 17, 2023

Yes, that title was a mouthful, but I’m trying to make sure I’m descriptive enough for the next guy who is in this situation. I was facing something interesting lately. There is a spambot network that is ignoring whatever you put in the MX record, and trying to send emails to other IPs associated with the domain.

Yep, rookie mistake on my part. Should have set things up so that domains forwarding to my spam filtering service can only be delivered locally if they come FROM that service. So I turned to the extremely helpful Postfix Users group.

Sponsorships Available

Essentially, they suggested leveraging access(5) rules to define this in main.cf. You could throw the domains into a hash table as well, but since my config isn’t really changing that much at all I did not go that route.

The first part of the config is to set up the CIDR blocks in question that you want to allow mail from:

    smtpd_restriction_classes = reject_unfiltered

    # Allow the filtering service IPv4/IPv6 CIDR blocks and reject
    # everything else.
    reject_unfiltered =
        check_client_access cidr:{
            {192.168.2.0/24               permit_auth_destination},
            {2001:dead:beef:cafe::/64    permit_auth_destination},
            {0.0.0.0/0                  REJECT 5.7.1 MX bypass attempt},
            {::/0                       REJECT 5.7.1 MX bypass attempt}
        }

Then, you need to add to your existing smtpd_client_restrictions block a check to make sure email destined for the domains you wish come from your provider.

    smtpd_client_restrictions =
        check_recipient_access inline:{
            {filtereddomain.com = reject_unfiltered},
            {filtereddomain.net = reject_unfiltered}
        }, 
    # Just insert this at the top of your list of client
    # restrictions and you can keep processing/restricting
    # after that.

That’s all there is to it. Worked instantly and does not affect mail delivery for domains that are not listed in the second config block. Thank you to Viktor Dukhovni for helping!

Possibly Related Posts:

*** This is a Security Bloggers Network syndicated blog from Branden R. Williams, Business Security Specialist authored by Branden Williams. Read the original post at: https://www.brandenwilliams.com/blog/2023/10/17/selective-domain-filtering-with-postfix-and-a-spam-filtering-service/?utm_source=rss&utm_medium=rss&utm_campaign=selective-domain-filtering-with-postfix-and-a-spam-filtering-service

October 17, 2023October 17, 2023 Branden Williams 0 Comments enterprise security

Branden Williams

Dr. Branden R. Williams has more than twenty-five years of experience in business, technology, and cybersecurity as a consultant, strategist, and executive. Dr. Williams has experience working for the largest and smallest institutions as an entrepreneur, practitioner, and advisor. His specialty is navigating complex landscapes—be it compliance, security, technology, or business—and finding innovative solutions that promote growth while reducing risk. He is a practitioner and advisor for the operation, engineering, and management of IT and IS tools. He’s held several executive roles in the industry and served on both the PCICo and EMVCo boards.

branden-williams has 19 posts and counting.See all posts by branden-williams