NB: this post comes as a follow up to previous postfix guides, How to simply create a catchall e-mail and forward all e-mails to another address in Postfix and How to forward an e-mail address or a whole domain to /dev/null in Postfix. It should, this time, be self-sufficient, but maybe reading the previous guides can still be helpful.
I’ve been a victim of some rogue website who seemed to refuse to let me unsubscribe from their spammy newsletter (to which I’m fairly sure I never even subscribed in the first place), and rather than letting them fill my spam folder I thought I’d bounce them for a change (yes, sorry but the method I present will reject e-mails, not discard them silently like the /dev/null forwarding – I haven’t found a way to do that based on sender’s e-mail yet).
First, you need to create a database of senders and actions. We’ll keep it simple here:
nano /etc/postfix/sender_access (NB: I think the file name doesn’t matter)
Then in this file, put your reject rules like this:
news@maville.com REJECT example@example.com REJECT
Then save it, and to turn it into a database for postfix to use, run:
postmap /etc/postfix/sender_access
Now open postfix’s configuration:
nano /etc/postfix/main.cf
and configure this setting (check around to be sure, but probably you don’t already have it so you need to create it, for instance at the end of the file):
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access
Save it, then reload or restart postfix (postfix reload or postfix stop then postfix start)
That’s all. You should maybe test it with one of your own e-mail addresses, and when an e-mail is properly rejected, you’ll receive an e-mail like:
This is the Postfix program at host karen.lavabit.com.
I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.
For further assistance, please send mail to If you do so, please include this problem report. You can The Postfix program <me @example.com>: host mail.example.com[82.165.148.117] said:
delete your own text from the attached returned message.
554 5.7.1 <patheticcockroach @example.com>: Sender address rejected:
Access denied (in reply to RCPT TO command)
Bonus: to view the current postfix configuration: postconf -d
Sources:
- nixCraft – Postfix blacklist or reject an email address
- Postfix Configuration Parameters – smtpd_sender_restrictions
- LinuxQuestions – Postfix: how to reject incoming mail as in Sendmail’s “error:nouser”?
Update (2013-10-20): wildcards
Sometimes it can be useful to block a whole domain at once. However, it turned out that wildcarding doesn’t seem to work here as well as for the virtual_alias_maps. Never mind, it can be done using… regular expressions, of course. Since regular expressions are slower than a db query, I suppose the best setup is to mix both as needed, keeping the regular expression only for cases where they are needed, and keeping the “hash” database for the other cases. So, that’s 2 list files instead of one. smtpd_sender_restrictions becomes like:
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access,check_sender_access regexp:/etc/postfix/sender_access_regexp
Note that you don’t need to run postmap on the regexp file (because it’s read from plain file instead of from a database file).
Example line from /etc/postfix/sender_access_regexp:
/\@newsletter\.pouvoirha\.com/ REJECT
Some more info there: https://www.linuxquestions.org/questions/linux-server-73/block-emails-on-postfix-650144/
A more generic, brief postfix guide: http://wiki.centos.org/HowTos/postfix_restrictions
Interesting commands to test your config:
postconf -n: display current configuration (I assume this is the one loaded, in case you missed a postfix reload)
postmap -q "check_this_email@example.com" regexp:/etc/postfix/sender_access_regexp: test the given email against the rules in file /etc/postfix/sender_access_regexp. Interesting because first you’ll see if it rejects what it should, plus it will display any error it may encounter in the file (like a malformed regular expression)
Fantastic Guide, I was wondering if regexes could be used in access lists as with exim, and this answers the question perfectly, time to fight back against the spammers.
This is a very useful post. Thank you for laying out the steps for configuring Postfix to block spam senders based on a specific list of email addresses.
Excellent instructions. I use Plesk with grey listing, SpamAssassin and DNSBLs, and was struggling to get the mail server to reject mail from specific email addresses. Plesk’s blacklist for rejection (in Mail Server settings) appears to only accept domain entries rather than individual email addresses. The Spam Filter settings blacklist adds 100 to a sender’s SpamAssassin score but the email still comes in to a junk folder where it will get checked for false positives.
I was unwilling to accept this situation and this solution worked well. All mail from the specific addresses listed is now rejected.
Plesk users may want to know that you can insert the new check_sender_access db query into the standard smtpd_sender_restrictions line as follows:
smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, check_sender_access hash:/etc/postfix/sender_access, permit_sasl_authenticated