Yes, that title was a mouthful, but I’m trying to make sure I’m descriptive enough for the next guy who is in this situation. I was facing something interesting lately. There is a spambot network that is ignoring whatever you put in the MX record, and trying to send emails to other IPs associated with the domain.

Ski Mask, by Dave Wasson

Yep, rookie mistake on my part. Should have set things up so that domains forwarding to my spam filtering service can only be delivered locally if they come FROM that service. So I turned to the extremely helpful Postfix Users group.

Essentially, they suggested leveraging access(5) rules to define this in You could throw the domains into a hash table as well, but since my config isn’t really changing that much at all I did not go that route.

The first part of the config is to set up the CIDR blocks in question that you want to allow mail from:

    smtpd_restriction_classes = reject_unfiltered

    # Allow the filtering service IPv4/IPv6 CIDR blocks and reject
    # everything else.
    reject_unfiltered =
        check_client_access cidr:{
            {               permit_auth_destination},
            {2001:dead:beef:cafe::/64    permit_auth_destination},
            {                  REJECT 5.7.1 MX bypass attempt},
            {::/0                       REJECT 5.7.1 MX bypass attempt}

Then, you need to add to your existing smtpd_client_restrictions block a check to make sure email destined for the domains you wish come from your provider.

    smtpd_client_restrictions =
        check_recipient_access inline:{
            { = reject_unfiltered},
            { = reject_unfiltered}
    # Just insert this at the top of your list of client
    # restrictions and you can keep processing/restricting
    # after that.

That’s all there is to it. Worked instantly and does not affect mail delivery for domains that are not listed in the second config block. Thank you to Viktor Dukhovni for helping!

This post originally appeared on

Possibly Related Posts: