Changing to policyd-weight from postfix’s built-in reject_rbl_client

Last week my own server – hosting some sites from old and relatively close client – had been hijacked, and got listed on some RBL lists.

Using apache2-mpm-itk it was quite easy to trace it back, because the spamsender process was running with a user’s id, not with simple www-data. Someone managed to log in with an FTP account, placed some scripts in the www directory, and started it from a web request. The real beauty was that the script removed itself after loading. It also sent the mails from the domain’s default name, so, unfortunately it wasn’t forged, and a lot of lists added my IP.

Using the help of mxtoolbox.com, a site for monitoring mailservers, a lot of hours and at least 10 apologizing mails I managed to remove myself. This reminded me, that I use the same method: RBL blockings right inside postfix’s main.conf.

So if anyone got listed on one the lists I use, I reject their mail just like it happened to me. I clearly feel now, that this is not the good approach. So I looked for some kind of weighted possibility, like spamassassin for spam, and I met policyd-weight. It is the perfect tool I was looking for, and the best, Ubuntu has it as package.

# apt-get install policyd-weight

The only thing: it doest not provide a default conf file, you need to create it with a build-in feature:
# policyd-weight defaults > /etc/policyd-weight.conf

You also need to add it to postfix’s main.conf, right into smtp_recipient_restrictions
# check_policy_service inet:127.0.0.1:12525,
You can also remove every RBL entry from here after this is enabled.

Reload postfix
# /etc/init.d/postfix reload

and your system is ready to use policyd-weight, a lot more sophisticated solution for RBL listings, than built-in version of postfix.

To see more, visit Ubuntu manpage of policyd-weight, or the poject’s website.