TLD blocking in POSTFIX MTA

I was looking at how how I might block TLD’s (Top Level Domains) with the POSTFIX MTA and I couldn’t do it using a pcre table – most of the stuff I found used pcre.  When I did an apt-get to install it on my Ubuntu Mail Server it wanted to uninstall and upgrade a few dependencies and I was like…wait a minute, what might this break?!

What’s a girl to do?  Checking around I found this <– Link to POSTFIX the Definitive Guide where they talk about configuration files.  You can use a regexp (regular expression) in a file (the database) to have POSTFIX look at a pattern.

I then found this link on How To Forge where user kephra said they used this:

“/(from|reply-to|helo).+?<.+?(\.\w+(?<!com|org|net|edu|gov)>)/ REJECT”

…but I got errors on the regexp so I ended up using a different syntax from another post (can’t remember where to give them credit) but it looks like this:

/\.aaa$/          REJECT

So here you can add more lines for TLD’s you want to block.  The first example was precise but didn’t work, the next one wasn’t precise but works and I take working over elegantly not working all day long!

Here’s the how to:

Find where POSTFIX IS:  whereis postfix
Go to that directory:  cd /etc/postfix
Make a backup of your POSTFIX confi file: cp
Edit your POSTFIX conf file:  nano
Add this line:
# Allowed domains
smtpd_sender_restrictions = regexp:/etc/postfix/tld_block

Save the file > we now create the referenced file “tld_block” and edit it:
touch tld_block
nano tld_block
Add lines of all the TLD’s you want to block:

/\.aaa$/          REJECT
/\.aarp$/          REJECT
/\.abarth$/          REJECT

…and so forth

* You can download my file here (mega block of TLDs): Link
Save the file and restart postfix:
service postfix restart


Watch your log files now: tail -f /var/log/mail.log

…and look for results like this:

“Mar  8 19:58:52 email postfix/smtpd[4018]: NOQUEUE: reject: RCPT from[]: 554 5.7.1 <>: Sender address rejected: Access denied; from=<> to=<> proto=ESMTP helo=<>”

Sender address REJECTED access denied!

That’s how you know it’s working ACCESS DENIED!

Leave a Reply

Your email address will not be published. Required fields are marked *