Blocking top-level domains

Peter Lemieux mailscanner at
Tue Jul 22 21:35:20 IST 2014

In Postfix you need to add these directives to

smtpd_client_restrictions = reject_unknown_client_hostname,
       check_sender_access pcre:/etc/postfix/sender_access
smtpd_sender_restrictions = reject_unknown_sender_domain,
       check_sender_access pcre:/etc/postfix/sender_access

# block sending servers from non-US/CA locations
smtpd_helo_required = yes
smtpd_helo_restrictions =   check_helo_access

I use Perl-compatible regular expressions to match things I want to 
block.  Thus I have pcre: prefixes in each entry.  Postfix supports 
other methods as well including simple string matching.

My /etc/postfix/sender_access file looks like this:

# no mail from outsiders claiming to be us
/\.example\.com$/       REJECT

# no two-letter country-code domains except us/ca
/\.us$/                 OK
/\.ca$/                 OK
/\.[a-z][a-z]$/         REJECT US senders only

# various blacklists
/\.hostnoc\.net$/       REJECT
/\.pawlitenews\.com/    REJECT

This particular client is a small healthcare provider that does not need 
to receive mail from locales outside the US/CA.  Blocking foreign 
country-code domains cuts down a lot of spam.


On 07/22/2014 03:25 AM, Mogens Melander wrote:
> Sorry, I don't. But google gave me this:
> On Tue, July 22, 2014 04:11, Chris Barber wrote:
>> Ahh, brilliant! We are using postfix instead of sendmail, do you know what
>> the correspoding file in Postfix is for this?
>> Thanks!
>> Chris
>> -----Original Message-----
>> From: mailscanner-bounces at
>> [mailto:mailscanner-bounces at] On Behalf Of Mogens
>> Melander
>> Sent: Saturday, July 19, 2014 1:38 AM
>> To: mailscanner at
>> Subject: Re: Blocking top-level domains
>> Hi
>> I'm doing stuff like that in sendmail's access (/etc/mail/access) file,
>> with entries like:
>>    ERROR:"550 Reject : - Spam source"
>> Works like a charm :)
>> On Fri, July 18, 2014 19:47, Bryan Laurila wrote:
>>> I had an interesting situation creep up on me this week where I
>>> thought that something was happening (or being processed) in
>>> MailScanner/SpamAssassin but apparently it was not.
>>> I have two mail relay scanners running MailScanner & SpamAssassin on
>>> Suse Linux.  These boxes scan incoming mail for spam & viruses and
>>> then relay to my MS Exchange server.  I had an influx of spam this
>>> week coming in from several top-level domains that we wouldn't
>>> normally receive any valid emails from anyway, like .eu, .in, .asia,
>>> .club, etc.
>>> Upon investigating the situation I found that the Trend Micro Scan
>>> Mail service on my Exchange server crashed which lead me to the
>>> discovery that MailScanner & SpamAssassin weren't filtering mail from
>>> these unwanted top level domains as I thought and all that work was
>>> being done by my exchange server.
>>> So, the question of the day is...  Where is the best place to turn on
>>> filtering or set a rule somehow to filter unwanted top-level domains
>>> at the MailScanner/SpamAssassin servers?
>>> Like all things in IT there are probably multiple ways of doing this
>>> so I am curious as to what others are doing.  All thoughts & comments
>>> are welcome.
>>> Thanks!
>>> Bryan S. Laurila
>>> Senior Network Support Analyst
>>> Dickinson County Healthcare System
>>> 1721 South Stephenson Avenue
>>> Iron Mountain, Michigan 49801

More information about the MailScanner mailing list