Implement Spamcop via Postfix smtpd_recipient_restrictions? Help or comments please?

SYSTEM INFORMATION
OS type and version Ubuntu Linux 20.04.5
Webmin version 2.001
Virtualmin version 7.3-1 Pro
Related packages Postfix RBL Configuration

This morning a user on a server with 100s of domains and probably around 500 mailboxes called me to report spam. Upon closer inspection I did a lookup for blacklists at MX Toolbox and found that the IP address is listed at 18 RBLs.

Then I checked Postfix and noticed that it doesn’t seem to contain any checks for blacklists.

I need some help to configure RBLs, especially these ones for Virtualmin:

  • Spamcop
  • Spamhaus
  • Sorbs
  • Abuseat

Here is the original Postfix main.cf on a fresh Ubuntu server. Note spaces instead of commas.

smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination check_policy_service inet:127.0.0.1:10023

Here are the modifications I made (note the commas):

smtpd_recipient_restrictions =.
   permit_mynetworks,
   permit_sasl_authenticated,
   reject_unauth_destination,
   reject_invalid_hostname, # Added
   check_policy_service inet:127.0.0.1:10023,
   reject_rbl_client zen.spamhaus.org, # Added
   reject_rbl_client bl.spamcop.net, # Added
   reject_rbl_client dnsbl.sorbs.net, # Added
   reject_rbl_client cbl.abuseat.org, # Added
   reject_rbl_client b.barracudacentral.org, # Added
   reject_rbl_client dnsbl-1.uceprotect.net, # Added
   permit # Added
```

This is the guide from Rackspace that I used:
https://docs.rackspace.com/support/how-to/prevent-spam-in-postfix/

Note to use Spamhaus you can't use open resolvers such as 1.1.1.1 and 8.8.x.x. You have to use your DCs DNS resolver.

Perhaps I'm missing the boat and these RBLs are actually configured somewhere else e.g. in SpamAssassin?

Please comment?

In relation to the Spamhaus bit, please read:

and all will become clear (i.e. what Rackspace say).

SpamAssasin only applies to emails that Postfix has accepted. The Postfix rules regarding RBLs and other things dictate whether Postfix accepts the email in the first place.

I recommend you not configure it in Postfix, and instead use SpamAssassin’s RBL features. SpamAssassin can use weights to make smarter decisions about when to block…Postfix can only block or not.

But, if you do want to do it in Postfix, I don’t think I know what else to say. Seems like the error tells you what’s wrong.

Update: I quickly removed Sorbs because Gmail was being blocked.

Still happy to use a combination of pre-server blocking and post-server blocking because I really need Spamcop and Spamhaus operational.

@Joe

and instead use SpamAssassin’s RBL features

Any hints where to set this up?

The following link refers to cPanel, but is equally applicable to Virtualmin

i.e. use a custom file so as not to lose your custom RBLs should the main file get over-written.