1. Login

Consent to the use of Personal Data and Cookies

This website needs your consent to use cookies in order to customize ads and content.

If you give us your consent, data may be shared with Google.

Blocking sender email addresses with Postfix

How to block sender e-mail addresses and domains in Postfix to effectively eliminate marketing spam.

20 views
d

By. Jacob

Edited: 2023-05-21 09:54

Blocking individual senders with Postfix can be done by editing the /etc/postfix/sender_access file. If it does not exist, you can go ahead and create it.

1. Edit the file:

nano /etc/postfix/sender_access

2. Type in the sender address that you want to reject (one per line):

[email protected] REJECT

Note. This also works for entire domains. E.g:

example.com REJECT

3. Create a database file that postfix understands:

postmap hash:sender_access

4. Edit /etc/postfix/main.cf and add the following:

smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/sender_access

If you have multiple rules in this block, you should separate them with comma and optionally indent them with spaces for readability. E.g:

smtpd_recipient_restrictions =
  permit_sasl_authenticated,
  permit_mynetworks,
  reject_unauth_destination,
  check_sender_access hash:/etc/postfix/sender_access,
  check_policy_service unix:private/policyd-spf

In fact, it seems even separating each rules with a line break works.

4. Restart postfix:

systemctl restart postfix

Once the sender-address has been blocked properly, future e-mail from them will bounce, and they will get a message like this in their inbox telling them they are blocked:

554 5.7.1 <u[email protected]>: Sender address rejected: Access denied

This should give an entry in your /var/log/mail.log file:

postfix/smtpd[5358]: NOQUEUE: reject: RCPT from mail.example.com[xxx.xxx.xxx.xxx]: 554 5.7.1 <[email protected]>: Sender address rejected: Access denied; from=<[email protected]> to=<destination[email protected]> proto=ESMTP helo=<mail.example.com>

You can easily check that email is rejected by using grep:

grep "[email protected]" /var/log/mail.log

When to block individual addresses

Personally, I rarely block individual senders, because there is absolutely no point in doing it if the message is indeed "malicious". E.g. Someone found your e-mail address online and started sending you advertisements, they are probably also hiding their real identity.

If the sender is not hiding behind anonymity, then sometimes I want to send the sender a message by hard-blocking them in my server configuration; for example, maybe they are a real sender that started sending me e-mail marketing spam without my consent, in which case I sometimes block them to show them that their spam is not welcome – hopefully some will get the message.

Blocking a specific sender is not exactly a trivial task when you manage your own e-mail server, because you have to SSH into your server and manually add the senders e-mail address to your blocklist, and if you use Postfix, then you also have to restart the server to apply your changes.

E-mail services hosted at Microsoft and Google might not even provide a real way to block senders, and to the average user the option would be sort of obsolete anyway, because people are not able to tell when it will actually be useful to hard-block a sender; the problem is that most spammers will be spoofing their e-mail addresses, or indeed, simply change their address to get around such silly little blocks.

However, some e-mails are obviously genuine and originating from senders that at least will comply with some laws on spamming; we can easily block those senders if we wish to signal our disapproval of the message, and that way we avoid having to click their unsubscribe link.

Hard blocking

If a block is setup correctly by your e-mail provider, the e-mail server should plainly reject the unwanted message, this is a "hard block", and it should result in a bounced e-mail message.

Soft blocking

Gmail, for example, does not seem offer an option to block e-mail originating from specific addresses; their block function is a "ghost" soft-block; a block does not actually block future messages from the sender, and they will not know that they have been blocked; instead it will just move future messages to your spam folder. In my opinion, Google has actually implemented blocking incorrectly and contrary to what we would intuitively expect a block to mean!

When users block an e-mail address, they intuitively expect e-mail originating from that address to be rejected entirely – it should not even enter the spam folder – to then find future e-mail in the spam folder is just a disappointment. But, it also highlights the ongoing need for decentralization of e-mail.

The spam folder should be reserved for messages that might have been incorrectly labeled as spam. E.g. The spam filter was not confident enough to completely reject the message, or the sending domain has not configured their DKIM or SPF correctly. Etc.

Links

  1. smtpd_recipient_restrictions - postfix.org

Share with your friends:

Tell us what you think:

  1. How to set up SPF checking in Postfix
    Configure Postfix to check SPF records and fight e-mail spoofing.
  2. DNS SPF Records
    How to use SPF records to increase the likelihood that your e-mails will be received and not go to spam.
  3. Rate Limiting with Postfix
    Rate limiting your postfix server to limit the amount of e-mail a single user can send.
  4. How To Know If Postfix Was Hacked Into
    We can find out if Postfix was hacked by reading the mail and syslog files, learn what to look for in this article.

More in: Postfix