A Top-Level Domain (TLD) is at the highest level of the Domain Name System (DNS) structure. The domain .com is a TLD. So is .org, .net, and .biz.
I’ve presented on DNS (and BIND) – you can click the link to view my PDF slides (and you can view a listing of all of my posted workshops at https://barredowlweb.com/knowledge-base/#workshops). You can also read an old blog post I wrote on an introduction to DNS & IPv6 at https://barredowlweb.com/2013/10/28/introduction-dns-ipv6/.
But back to this topic… There are a lot of new TLDs, such as .bid and .science. At Barred Owl Web, we’ve noticed that spammers are the only ones sending email from domain names inside many of these TLDs.
In an effort to curb this spam, we block email coming from many of these TLDs completely. Here’s how you can too (these instructions are for CentOS servers, but can of course be adapted to your your particular Linux distribution and wherever your Postfix configuration files are located).
1. Create a file in /etc/postfix, and name it “reject_domains”
(vim /etc/postfix/reject_domains)
2. Here are the current contents of our reject_domains file – it’s growing, but we currently are blocking email from 15 different TLDs:
/\.pro$/ REJECT We reject all .pro domains
/\.date$/ REJECT We reject all .date domains
/\.science$/ REJECT We reject all .science domains
/\.top$/ REJECT We reject all .top domains
/\.download$/ REJECT We reject all .download domains
/\.work$/ REJECT We reject all .work domains
/\.click$/ REJECT We reject all .click domains
/\.link$/ REJECT We reject all .link domains
/\.diet$/ REJECT We reject all .diet domains
/\.review$/ REJECT We reject all .review domains
/\.party$/ REJECT We reject all .party domains
/\.zip$/ REJECT We reject all .zip domains
/\.xyz$/ REJECT We reject all .xyz domains
/\.stream$/ REJECT We reject all .stream domains
/\.bid$/ REJECT We reject all .bid domains
3. Edit /etc/postfix/main.cf and add the following line:
smtpd_sender_restrictions =
check_sender_access pcre:/etc/postfix/reject_domains
4. Reload Postfix:
postfix reload
You’re done. Hopefully this will help you combat spam too.
Need help with your Linux web or email server? Contact me at https://barredowlweb.com/contact/ to start a conversation.
Hi All,
I use Postfix v2.10.1 and I followed your tutorial.
My /etc/postfix/access file :
/\.date$/ REJECT
When I try this conf file with the next command, it seems that the regular expression doesn’t work :
postmap -q “toto@test.date” hash:/etc/postfix/access
But if I modified access file with an entry as follow :
toto@test.date REJECT
The test command works.
Maybe any ideas ?
Jacques
Hi,
postmap is for hash (or lmdb files), but this is pcre (Perl Compatible Regular Expression).
You may also need to install postfix-prce package.
Regads, Lishack the Fox.
Lishack is correct.
You need to put the code I provided above into a new file, and then point to that file with the following configuration parameter: check_sender_access pcre
Hi David,
Build my first own Mail-Server and realized how many things must be done to get that running, including
fighting spam. In the past I’ve supported SUN Microsystems Mail Server and does not know how many stress it is to have an own one.
So thanks for that blog it helps me so much !
Thanks and best regards
Thorsten
1. I use a .xyz for my businness. Like many others. The domain was cheap to register a few years ago. Instead of blocking entire domains, why not be a little more intelligent in this?
2. Postfix is not meant to be a spam filter, per se. It’s an MTA. Take the time to configure SpamAssasin or RSPAMD. Also chain in the clamav-milter. Maybe you’ll have fewer false positives.
Regards..
Funnily I knew a sys admin in the Netherlands who blocked the whole *.uk TLD, and then wondered why his email alerts from amazon.co.uk never arrived in his mailbox.
Those are certainly good points. And you are correct: Postfix is an MTA. You’ll get no argument from me there.
However, as you likely know, the volume of spam that the typical MTA receives is absurd. We have made the decision to block these TTLDs because there has never been a use case for us, or any of our clients whose email is hosted on our infrastructure, to communicate with others who have an email address at one of those TTLDs mentioned. Here’s a nice article from Brian Krebs on the subject of TLDs and spam: https://krebsonsecurity.com/tag/new-tld-spam/
Nice tutorial, works perfect! Those new TLD’s are a pain in the ass.
I’m currently testing how to allow an exception.
I mean if I block a domain called .blocked with /\.blocked$/ REJECT I want to previously allow one exception for something like exception.blocked.
You can whitelist senders by hostname or IP address by using setting a smtpd_recipient_restrictions stanza, and adding the following to that stanza:
check_client_access hash:/etc/postfix/rbl_override
In your rbl_override file, it might look like something like this:
1.1.1.1 OK
mail.example.com OK
Then do a “postmap /etc/postfix/rbl_override”, reload Postfix, and you’re good to go!
Today I just banned an entire ISP from sending me email. In fact it happens to have over 1000 CIDR’s I had to sift through. What is much different than usual is the fact that I put a referral to the spam supporting ISP’s toll free number for assistance in resolving the issue. I want to put the onus and responsibility for the cost of spam BACK ON the spammers and their supporting ISP’s where it belongs.
The list I use is in the following format:
23.228.77.0/24 REJECT You are blocked for network abuse: Spamming – Contact Globalfrag/LayerHost Technical Support 1-833-247-HOST to resolve issue.
I check my logs for mails that are rejected because of their TLD and sometimes make exceptions or even allow a TLD I’d previous;y blocked. I’ve never seen anything that looked even vaguely like it might be legit from .xyz .top or many others.
(I take a different tact, I block ALL TLDs and then white list the ones I will accept mail from, this way new TLDs do not get an opportunity to spam my server.)
Those are new tld’s and people are buying them . I wish i had seen this before I bought my stan.stream domain what a load of crap to happen to people like me who HATE spammers. Spammers should be prosecuted.
You have NO IDEA how long I’ve been searching for this solution! Cannot believe it took years of googling to find this – just had to use the right of guess-words to search for (“wildcards” was the key!).
I had a SENDER_CHECKS file that was 22,250 lines long trying to keep the spam in check – created 270 entries in my reject_domains file, and the sender_checks is now down to 7770 after removing duplicates.
Thank you, thank you, THANK YOU!!!!!
I’m glad it was helpful! 🙂