Filtering known-bad sender domains from your mail-receiver

If you run your own incoming mail, and you find that you’re getting more abusive mail than you’re willing to tolerate, this guide is for you! It’ll show you how to configure your mail-receiver container to block e-mail from any domain on a list you create, and how you can add and remove domains from that list over time.

Setup

  1. Using the custom Postfix configuration guide, configure your mail-receiver container to have an /etc/postfix/shared volume (see the “Addendum” section at the bottom).

  2. Create an empty file on the host, in /var/discourse/shared/mail-receiver/etc, named sender_access, by running the following command as root:

    touch /var/discourse/shared/mail-receiver/etc/sender_access
    
  3. Using the custom Postfix configuration guide, set the following environment variable:

     env:
       # <existing config>
       POSTCONF_smtpd_sender_restrictions: 'texthash:/etc/postfix/shared/sender_access'
    

Your Postfix system is now ready to accept domains to block.

Blocking and unblocking domains

The list of domains you want to block is maintained in the file /var/discourse/shared/mail-receiver/etc/sender_access on the host. The format is straightforward: just a list of domains, one per line, with the word REJECT after it. Here is an example:

example.com    REJECT
example.org    REJECT
# etc

There are other possibilities you can use instead of REJECT, but we won’t cover them in this guide; see the fine manual if you want to get super-fancy.

Thus, to add or remove a domain from the list of blocked domains, simply add or remove the relevant line from the file, by editing it as root.

There is one final step that needs to be taken after editing this file: reloading Postfix. It doesn’t automatically notice that a change has happened, and needs to be told. The quickest and least disruptive way to do this is to send a special signal to Postfix, using this command:

docker kill -s HUP mail-receiver

If you then examine the logs for the mail-receiver container, you should see Postfix mentioning a config reload.

That’s it. Enjoy a less-abused mail system.

12 Likes

Thanks, Matt! Much appreciated. I owe you at least a :beer: for this super helpful howto. I have now implemented the above and added the offending domains to it - I’ve let it go for an hour and so far it’s been quiet.

One clarification: In setup above, you use the /var/docker.. path when I think you mean /var/discourse.. - though I suspect different instances may use different paths depending on when they were set up. These days I suspect most people use /var/discourse.. which is also reflected in the other howto you link to for setting up direct delivery.

5 Likes

You are correct. For hysterical raisins we use /var/docker internally, so that’s the path that comes to mind. I’ve updated the howto.

4 Likes

hysterical. :laughing:

3 Likes