Postscreen blocks connections from zombies and other spambots that are responsible for about 90% of all spam. It is implemented as a single process to make this defense as inexpensive as possible. More information about Postscreen can be found here.
Important
- When the Postscreen service is enabled, your users must use the submission port 587 (TLS) or 465 (SSL) to send email, port 25 will be used by the Postscreen service to accept emails sent from other mail servers (not submitted by end users).
- Enabling Postscreen will automatically enable the submission port 587 (TLS) if it is not currently enabled.
- Mail sent using the PHP mail function/sendmail should not be affected.
Enable Postscreen
- Go to Warden -> Setting -> Mail Server Settings -> Check Postscreen
- If you were already using DNSBLs you can press the down arrow button next to DNSBL sites to transfer the DNSBLs to Postscreen DNSBL sites. Otherwise add some DNSBLs to Postscreen DNSBL sites. See here for a list of DNSBLs that we recommend. It is recommended that the DNSBL option should be left unchecked when using Postscreen otherwise the same DNSBLs would be checked twice at the Postscreen level and at the SMTP level. Note: The DNSBLs listed under Postscreen DNSBL sites are all checked simultaneously in parallel so the ordering is not important.
- We recommend that the Postscreen blacklist action, Postscreen greet action, and Postscreen DNSBL action options are all set to enforce. Enforce will enable the protection and will still log enough information in order to see which sender/recipient is being blocked.
- Press the Update button to apply your changes.
- If you have any additional IP address or networks that you want to whitelist from Postscreen you can add them by going to Warden -> Settings -> Mail Server Settings -> Mail Server Access -> Postscreen Access. The Postscreen access area supports both whitelisting and blacklisting IP addresses and CIDRs.
Advanced Usage
Postscreen also supports positive and negative weight factors for DNSBLs similar to how SpamAssassin scores email.
Example Using Strict DNSBLs (recommended)
This example allows us to use strict DNSBLs which normally have false positives. We can give them a lower weighting so that two strict DNSBLs must match before we trigger a block. We set the Postscreen DNSBL threshold to 3 points: b.barracudacentral.org has a weight of 3, psbl.surriel.com has a weight of 3, bl.spamcop.net has a weight of 2, spam.spamrats.com has a weight of 2, bl.mailspike.net has a weight of 2. If the combined score is equal to or greater than 3, Postscreen would reject the SMTP client.
Postscreen DNSBL threshhold: 3
Postscreen DNSBL sites: b.barracudacentral.org=127.0.0.[2..11]*3, psbl.surriel.com*3, bl.spamcop.net*2, spam.spamrats.com*2, bl.mailspike.net*2
Example Using Strict DNSBLs with Whitelising
This example allows us to use swl.spamhaus.org and list.dnswl.org for whitelisting (do not use swl.spamhaus.org if you are using free DNS resolvers). We set the Postscreen DNSBL threshold to 3 points: b.barracudacentral.org has a weight of 3, psbl.surriel.com has a weight of 3, bl.spamcop.net has a weight of 2, spam.spamrats.com has a weight of 2, swl.spamhaus.org has a weight of -4, list.dnswl.org has a weight of -2, -4, or -6 depending on the response code returned. If the combined score is equal to or greater than 3, Postscreen would reject the SMTP client. If the combined score is lower than 0 (the default postscreen_dnsbl_allowlist/whitelist_threshold) then Postscreen would whitelist the SMTP client.
Postscreen DNSBL threshhold: 3
Postscreen DNSBL sites: b.barracudacentral.org=127.0.0.[2..11]*3, psbl.surriel.com*3, bl.spamcop.net*2, spam.spamrats.com*2, swl.spamhaus.org*-4, list.dnswl.org=127.[0..255].[0..255].0*-2, list.dnswl.org=127.[0..255].[0..255].1*-4, list.dnswl.org=127.[0..255].[0..255].[2..3]*-6
Postscreen Access Control
Administrators can whitelist/blacklist IP addresses or CIDRs from Postscreen by going to Warden -> Settings -> Mail Server Settings -> Mail Server Access -> Postscreen Access.
Postscreen Log
Administrators can view the Postscreen log under Warden -> Logs -> Postscreen Log. Mail clients blocked by Postscreen will be highlighted in red and begin with the NOQUEUE message.
Command Line Interface
Admins can enable Postscreen using the mailserver:mailserver command line interface and Postscreen access control can be managed using the mailserver:access command line interface.
// enable Postscreen and set the Postscreen DNSBL sites
warden --task=mailserver:mailserver --postscreen=1 --postscreen_dnsbl_sites='b.barracudacentral.org,psbl.surriel.com' --reload=yes
// reject mail from the 214.112.234.0/24 network in Postscreen
warden --task=mailserver:access --oper=postscreen_add --pattern='214.112.234.0/24' --action=REJECT --reload=yes
// remove the 214.112.234.0/24 network
warden --task=mailserver:access --oper=postscreen_del --pattern='214.112.234.0/24' --reload=yes
// whitelist an IP address that is blocked on one of the Postscreen DNSBL sites
warden --task=mailserver:access --oper=postscreen_add --pattern='214.112.234.1' --action=PERMIT --reload=yes
// remove a whitelisted IP address from Postscreen
warden --task=mailserver:access --oper=postscreen_del --pattern='214.112.234.1' --reload=yes