Permanently reject a specific email sender address using postfix

email_block_with_senderPostfix generally accepts all sender addresses. It might be needed in some rare cases to reject one sender addresses for some reason.

With postfix, there is the possibility to use the “check_sender_access” to set individual actions per sender address. For the list of recipients and their action, a mapping needs to be created in the form of a hash database file. First you need to create a text file. The name here is chosen based on the name of the setting but can also be named differently.

$ vim /etc/postfix/sender_access

Inside the file, the senders and actions are configured. The mapping table will match the “address pattern” to an “action”. The address pattern can be a full email address like user@example.com, a domain like “example.com” or even just the user part like “user@”. The second column in the file is the action.

# ADDRESS PATTERNS         # ACTION
sender@example.com         550 Blacklisted
domain.com                 REJECT
user@                      REJECT

The action can simply be REJECT or an SMTP error code followed by the text delivered back with the error code. More details about the possible actions can be found in the postfix man page access(5) under the section “REJECT ACTIONS”.

$ postmap /etc/postfix/sender_access

To create the database file from the text file, the postmap command is used. The command above creates a database file with the same name and a .db extension from the text file with the given name .

$ ls -1 /etc/postfix/sender_access*
/etc/postfix/sender_access
/etc/postfix/sender_access.db

With the access table in place, the sender check needs to be enabled in the smtpd part of postfix. This is done in the /etc/postfix/main.cf configuration file.

smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/sender_access,...

The configuration item “smtpd_recipient_restrictions” defines the incoming restrictions for smtpd, which is the daemon listening for incoming connections. The “check_sender_access” option should be defined followed by the filename chosen for the database (without the .db extension). The above configuration example show only the config required for blocking of sender addresses. In the real “smtpd_recipient_restrictions” configuration line there are very likely a lot of other options as well.

$ service postfix reload

With the reload option, postfix will not completely restart but re-read the configuration and the related tables. This needs to be done every time the sender_access file is changed and the database file is generated, to activate the changes.

How do the result look?

Depending on the setup of the sending server the result might look slightly different. What most have in common is that they show a failure notice containing the returned error code and error message.

The return email for the action “550 Blacklisted” might look similar to this or might contain lines like this to indicate the error.

Sorry, we were unable to deliver your message to the following address.
<recipient@domain.com>:
Remote host said:
550 5.7.1 <sender@example.com>: Sender address rejected: Blacklisted
[RCPT_TO]

The corresponding log line from the receiving/rejecting mailserver looks like the following and shows the exact same error message as the failure notice.

$ grep "Sender address rejected" /var/log/maillog
... postfix/smtpd[89]: NOQUEUE: reject: RCPT from mailsrv.example.com[12.12.12.12]: 550 5.7.1 <sender@example.com>: Sender address rejected: Blacklisted; from=<sender@example.com> to=<recipient@domain.com> proto=ESMTP helo=<mailsrv.example.com>

With the simple “REJECT” action in the table, the following error will be reported. It equals to the action “554 Access denied”.

554 5.7.1 <sender@example.com>: Sender address rejected: Access denied

Read more of my posts on my blog at https://blog.tinned-software.net/.

This entry was posted in Linux Administration, Mailserver and tagged , , , , , , . Bookmark the permalink.