• Home
• About
• Usage
• Removal
• Stats
• Registration

Configuring SpamRATS on Postfix

How to configure SpamRATS RBLs on Postfix MTA

Postfix can be configured to check the IP address of incoming messages with the SpamRATS RBL. This can be done with the smtpd_recipient_restrictions parameter found in the main Postfix configuration file. Usually this file is located at /etc/postfix/main.cf. If the smtpd_recipient_restrictions parameter does not already exist in the file, you will have to add it.

For example using the individual SpamRATS RBLs:

smtpd_recipient_restrictions =
      ...
      reject_rbl_client [YOUR_API_KEY].noptr.spamrats.com=127.0.0.37,
      reject_rbl_client [YOUR_API_KEY].spam.spamrats.com=127.0.0.38,
      reject_rbl_client [YOUR_API_KEY].dyna.spamrats.com=127.0.0.36,
      ... 

NOTE: Do NOT use the RATS-Auth return code for Inbound Email!

How to configure SpamRATS Authentication RBL on Postfix

Postfix can be configured to check the connecting IP address to the submission port (587) with the SpamRATS RBL. This can be done by configuring the submission service line found in the master Postfix configuration file. Usually this file is located at /etc/postfix/master.cf. If the submission service line does not already exist in the file, you will have to add it. If you also allow connections on port 465, you should create a configuration for that as well.

submission inet n       -       y       -       - smtpd
      -o smtpd_tls_security_level=encrypt
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_delay_reject=no
      -o { smtpd_client_restrictions = reject_rbl_client [YOUR_API_KEY].auth.spamrats.com=127.0.0.43, permit }
      -o { smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject }

Warning: Please remember that you MAY not be able to query from some DNS servers, especially without an API key. You should use a DNS servers that clearly identifies who is making the query (PTR Record). Consider using your own local resolver if you have troubles. With a subscription, there are alternative ways to get data.

Caveats and Testing that it Works

RBL's work using DNS, and you should ALWAYS look for the correct IP Address being returned. Simply getting a "result" doesn't always mean the IP is listed. It should return the specific IP address, anything else might mean an error, and should be ignored and NOT rejected. Also, your DNS needs to be able to correctly query our mirrors. Bad firewall rules that prevent you from reaching our mirrors, means that you are not protected. You can always test at the command line first. A simple..

  host 36.0.0.127.[YOUR_API_KEY].dyna.spamrats.com
  host 1.0.0.127.[YOUR_API_KEY].dyna.spamrats.com
  

.. the first example should work and return 127.0.0.36, while the second example should return NXDOMAIN. (IP Not found). If that doesn't work, check your firewalls first, and check which DNS servers you are using, and finally test/check your API key is correct, and active before reaching out to us for support.

Blocked Users

You may find that your ability to query the SpamRATS DNSBL Public Mirrors has been restricted. This could be due to the usage not falling within our Terms of Service. Before restricting any queries we try to reach out via email. Please check to see if you received an email from sales@mthreat.com at your public email address. If you have received the message, please reply to it.

If you would like to continue using the SpamRATS RBLs, please contact us and include the IP(s) that you used to query in your email.

Go back to Usage page

Many thanks to our Sponsors, Subscription Holders, Users and Contributors.