Enable DNSBL service in Postfix to reduce spam

Attention

If you're running a high-traffic mail server, you'd better setup a local DNS server to cache DNS queries, because free RBL services like zen.spamhaus.org may improperly reply if your server exceed the DNS query limit. Also, mail service higly relies on DNS queries, so a local DNS server speeds up the mail flow.

You can enable additional DNSBL services in Postfix to reduce spam. We use zen.spamhaus.org for example below.

smtpd_recipient_restrictions =
    ...
    reject_unauth_destination
    reject_rbl_client zen.spamhaus.org=127.0.0.[2..11]
    reject_rbl_client b.barracudacentral.org=127.0.0.2

It must be placed after reject_unauth_destination. You can add more DNSBL services after reject_unauth_destination, and they will be queried in the specified order.

Postfix will perform DNS query against zen.spamhaus.org, and wait for the response code, only 127.0.0.2 to 127.0.0.11 are meaningful, so we use =127.0.0.[2..11] to tell Postfix only reject clients when we get those response code.

postscreen_dnsbl_sites =
    zen.spamhaus.org=127.0.0.[2..11]*3
    b.barracudacentral.org=127.0.0.2*2

See also

References