Skip to content


How to reject e-mails from a specific sender in Postfix

NB: this post comes as a follow up to previous postfix guides, How to simply create a catchall e-mail and forward all e-mails to another address in Postfix and How to forward an e-mail address or a whole domain to /dev/null in Postfix. It should, this time, be self-sufficient, but maybe reading the previous guides can still be helpful.

I’ve been a victim of some rogue website who seemed to refuse to let me unsubscribe from their spammy newsletter (to which I’m fairly sure I never even subscribed in the first place), and rather than letting them fill my spam folder I thought I’d bounce them for a change (yes, sorry but the method I present will reject e-mails, not discard them silently like the /dev/null forwarding – I haven’t found a way to do that based on sender’s e-mail yet).

First, you need to create a database of senders and actions. We’ll keep it simple here:
nano /etc/postfix/sender_access (NB: I think the file name doesn’t matter)
Then in this file, put your reject rules like this:

news@maville.com REJECT
example@example.com REJECT

Then save it, and to turn it into a database for postfix to use, run:
postmap /etc/postfix/sender_access

Now open postfix’s configuration:
nano /etc/postfix/main.cf
and configure this setting (check around to be sure, but probably you don’t already have it so you need to create it, for instance at the end of the file):

smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access

Save it, then reload or restart postfix (postfix reload or postfix stop then postfix start)

That’s all. You should maybe test it with one of your own e-mail addresses, and when an e-mail is properly rejected, you’ll receive an e-mail like:
This is the Postfix program at host karen.lavabit.com.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

The Postfix program

<me @example.com>: host mail.example.com[82.165.148.117] said:
554 5.7.1 <patheticcockroach @example.com>: Sender address rejected:
Access denied (in reply to RCPT TO command)

Bonus: to view the current postfix configuration: postconf -d

Sources:

Update (2013-10-20): wildcards

Sometimes it can be useful to block a whole domain at once. However, it turned out that wildcarding doesn’t seem to work here as well as for the virtual_alias_maps. Never mind, it can be done using… regular expressions, of course. Since regular expressions are slower than a db query, I suppose the best setup is to mix both as needed, keeping the regular expression only for cases where they are needed, and keeping the “hash” database for the other cases. So, that’s 2 list files instead of one. smtpd_sender_restrictions becomes like:
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access,check_sender_access regexp:/etc/postfix/sender_access_regexp
Note that you don’t need to run postmap on the regexp file (because it’s read from plain file instead of from a database file).
Example line from /etc/postfix/sender_access_regexp:
/\@newsletter\.pouvoirha\.com/ REJECT

Some more info there: https://www.linuxquestions.org/questions/linux-server-73/block-emails-on-postfix-650144/
A more generic, brief postfix guide: http://wiki.centos.org/HowTos/postfix_restrictions

Interesting commands to test your config:
postconf -n: display current configuration (I assume this is the one loaded, in case you missed a postfix reload)
postmap -q "check_this_email@example.com" regexp:/etc/postfix/sender_access_regexp: test the given email against the rules in file /etc/postfix/sender_access_regexp. Interesting because first you’ll see if it rejects what it should, plus it will display any error it may encounter in the file (like a malformed regular expression)

Posted in Linux, postfix, servers.


0 Responses

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.



Some HTML is OK

or, reply to this post via trackback.