Postfix Postscreen Tuning

adminAdmin, Email, Unix


Postfix: Postscreen Tuning Checklist

This section captures the recommended postscreen tuning of Postfix by enabling Postfix’s portscreen. Use this guide get rid of bad actors quickly without breaking a sweat. Review and confirm your active configuration.

Tuning goals

  • Be strict on protocol violations (pipelining, bare newlines, non-SMTP commands).
  • Be measured on DNSBL behavior to avoid false positives with large providers.
  • Avoid unnecessary tempfails (4xx) to reputable senders.

1) Protocol tests: keep enabled + enforce

These checks are typically low-risk and high-value. They block obvious protocol abuse early, before the SMTP daemon does heavy work.

postscreen_greet_action = enforce
postscreen_greet_wait = 5s

postscreen_pipelining_enable = yes
postscreen_pipelining_action = enforce

postscreen_non_smtp_command_enable = yes
postscreen_non_smtp_command_action = enforce

postscreen_bare_newline_enable = yes
postscreen_bare_newline_action = enforce
Optional tweak (slightly friendlier)

If you ever see legitimate senders failing the greet delay (uncommon), you can reduce the delay:

postscreen_greet_wait = 3s

2) DNSBL tuning: formatting, threshold, and action

A) Prefer comma-separated DNSBL site list

Using commas is clearer and helps avoid parsing/format edge cases.

postconf -e 'postscreen_dnsbl_sites=zen.spamhaus.org*3, bl.spamcop.net*2, b.barracudacentral.org*2'

B) Raise DNSBL threshold to reduce false positives

With weights 3 / 2 / 2, a threshold of 3 means a single zen hit triggers action.
If you want fewer false positives, use 5 so it typically takes a zen hit plus at least one additional list.

postconf -e 'postscreen_dnsbl_threshold=5'

C) Prefer DNSBL action “drop” vs “enforce”

DNSBLs are not perfect; drop is often preferred to reduce retry storms and minimize side effects.

postconf -e 'postscreen_dnsbl_action=drop'

Reminder: postscreen tests are controlled by postscreen_<test>_enable.
Actions like ..._action=enforce only matter if the test is enabled.

3) Cache behavior (reduce repeated work)

These are generally safe defaults for a small/medium MX and help keep repeat offenders from re-consuming resources.

postconf -e 'postscreen_cache_retention_time=7d'
postconf -e 'postscreen_cache_cleanup_interval=12h'
postfix reload

Validation workflow (so you know it’s doing what you think)

A) Confirm your postscreen parameters

postconf -n | egrep '^postscreen_(dnsbl|greet|pipelining|non_smtp|bare_newline|cache)'

B) Watch postscreen decisions in the logs

grep -n 'postfix/postscreen' /var/log/maillog | tail -n 80

You want to see mostly CONNECT/DISCONNECT, PASS NEW/PASS OLD, and DNSBL rank events for junk IPs —
without spurious 4xx rejections for normal senders (Gmail/Microsoft/transactional providers).

Recommended immediate change set (copy/paste)

This is the highest value/lowest risk change set based on your current direction: normalize DNSBL list formatting, raise threshold to reduce false positives,
and switch DNSBL action to drop.

postconf -e 'postscreen_dnsbl_sites=zen.spamhaus.org*3, bl.spamcop.net*2, b.barracudacentral.org*2'
postconf -e 'postscreen_dnsbl_threshold=5'
postconf -e 'postscreen_dnsbl_action=drop'
postfix reload

After applying, re-run the parameter check and review postscreen logs for 10–20 minutes of normal inbound mail.

Tip: Keep this post updated as you adjust thresholds and lists. A short “what changed and why” section makes future troubleshooting significantly faster.