OK BizSetup Email Server From Scratch Debian #2 - 13 Reducing Server Load With Postscreen
We believe in data independence, and support others who want data independence.
Debian Email From Scratch version 2 finished 2025-07-30.
We are still adding to it but it all works!
########################################
# Reducing Server Load With Postscreen #
########################################
# Postfix can spawn up to 100 processes to handle SMTP connections so it is
# better to reduce the number of spammy connections before they hit postfix,
# enter Postscreen.
nano /etc/postfix/master.cf
# ---
#smtp inet n - y - - smtpd
smtp inet n - y - 1 postscreen
smtpd pass - - y - - smtpd
dnsblog unix - - y - 0 dnsblog
tlsproxy unix - - y - 0 tlsproxy
# ---
nano /etc/postfix/main.cf
# --- add to end of file
# Postscreen
postscreen_access_list = permit_mynetworks cidr:/etc/postfix/postscreen_access.cidr cidr:/etc/postfix/postscreen_spf_whitelist.cidr
postscreen_blacklist_action = drop
#postscreen_greet_action = enforce
postscreen_greet_action = drop
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites =
zen.spamhaus.org*3,
b.barracudacentral.org=127.0.0.[2..11]*2,
bl.spameatingmonkey.net*2,
bl.spamcop.net,
dnsbl.sorbs.net,
swl.spamhaus.org*-4,
list.dnswl.org=127.[0..255].[0..255].0*-2,
list.dnswl.org=127.[0..255].[0..255].1*-4,
list.dnswl.org=127.[0..255].[0..255].[2..3]*-6
# Deep Protocol Test causes google mail to be slow, zimbra is ok
postscreen_pipelining_enable = yes
postscreen_pipelining_action = enforce
postscreen_non_smtp_command_enable = yes
postscreen_non_smtp_command_action = enforce
postscreen_bare_newline_enable = yes
postscreen_bare_newline_action = enforce
# ways to make google better
postscreen_dnsbl_whitelist_threshold = -2
# ---
# Comment out these so the IP's are not checked twice, and 10023 when deep protocol tests are enabled
nano /etc/postfix/main.cf
# ---
smtpd_recipient_restrictions =
...
#check_policy_service inet:127.0.0.1:10023,
#reject_rbl_client your_dq_key.zen.dq.spamhaus.net=127.0.0.[2..11],
#permit_dnswl_client list.dnswl.org=127.0.[0..255].[1..3],
# ---
nano /etc/postfix/postscreen_access.cidr
# ---
# Permit my own IP addresses.
15.204.113.148 permit
2604:2dc0:202:300::3645 permit
# permanently blacklist
192.168.12.0/24 reject
# ---
systemctl restart postfix
# Remember with this setup the first connection to the server will be rejected, SMTP clients will
# reconnect, google for example will connect the the second MX, which as we have configured it is
# the same, so the second connection from google to our MX server will be accepted.
# Enable Postwhite
cd /usr/local/bin
sudo git clone https://github.com/spf-tools/spf-tools.git
sudo git clone https://github.com/stevejenkins/postwhite.git
cp /usr/local/bin/postwhite/postwhite.conf /etc
/usr/local/bin/postwhite/postwhite
# The file is saved as /etc/postfix/postscreen_spf_whitelist.cidr
ls -l /etc/postfix/postscreen_spf_whitelist.cidr
nano /etc/postfix/main.cf
# ---
postscreen_access_list = permit_mynetworks cidr:/etc/postfix/postscreen_access.cidr cidr:/etc/postfix/postscreen_spf_whitelist.cidr
# ---
# Setup whitelist cron
crontab -e
# ---
0 0 * * * /usr/bin/journalctl --no-pager --since=yesterday -u postfix@-.service | /usr/sbin/pflogsumm -d yesterday | mutt -s "Postfix log summary" -- postmaster@okdeb.com
@daily /usr/local/bin/postwhite/postwhite > /dev/null 2>&1 #Update Postscreen Whitelists
@weekly /usr/local/bin/postwhite/scrape_yahoo > /dev/null 2>&1 #Update Yahoo! IPs for Postscreen Whitelists
# ---
# Don't forget to check your daily reports from pflogsumm