OK BizSetup Email Server From Scratch On FreeBSD #2 - 13 Reducing Server Load With Postscreen
We believe in data independence, and support others who want data independence.
Debian Email From Scratch version 2 finished 2025-07-30.
We are still adding to it but it all works!
######################################## # Reducing Server Load With Postscreen # ########################################
Postfix can spawn up to 100 processes to handle SMTP connections so it is
better to reduce the number of spammy connections before they hit postfix,
enter Postscreen.
nano /etc/postfix/master.cf
#smtp inet n - y - - smtpd
smtp inet n - y - 1 postscreen
smtpd pass - - y - - smtpd
dnsblog unix - - y - 0 dnsblog
tlsproxy unix - - y - 0 tlsproxy
nano /etc/postfix/main.cf
--- add to end of file ---
# Postscreen
postscreen_access_list = permit_mynetworks cidr:/etc/postfix/postscreen_access.cidr cidr:/etc/postfix/postscreen_spf_whitelist.cidr
postscreen_blacklist_action = drop
#postscreen_greet_action = enforce
postscreen_greet_action = drop
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites =
zen.spamhaus.org*3,
b.barracudacentral.org=127.0.0.[2..11]*2,
bl.spameatingmonkey.net*2,
bl.spamcop.net,
dnsbl.sorbs.net,
swl.spamhaus.org*-4,
list.dnswl.org=127.[0..255].[0..255].0*-2,
list.dnswl.org=127.[0..255].[0..255].1*-4,
list.dnswl.org=127.[0..255].[0..255].[2..3]*-6
# Deep Protocol Test causes google mail to be slow, zimbra is ok
postscreen_pipelining_enable = yes
postscreen_pipelining_action = enforce
postscreen_non_smtp_command_enable = yes
postscreen_non_smtp_command_action = enforce
postscreen_bare_newline_enable = yes
postscreen_bare_newline_action = enforce
# ways to make google better
postscreen_dnsbl_whitelist_threshold = -2
Comment out these so the IP's are not checked twice, and 10023 when deep protocol tests are enabled
nano /etc/postfix/main.cf
smtpd_recipient_restrictions =
...
#check_policy_service inet:127.0.0.1:10023,
#reject_rbl_client your_dq_key.zen.dq.spamhaus.net=127.0.0.[2..11],
#permit_dnswl_client list.dnswl.org=127.0.[0..255].[1..3],
nano /etc/postfix/postscreen_access.cidr
# Permit my own IP addresses.
15.204.113.148 permit
2604:2dc0:202:300::3645 permit
# permanently blacklist
192.168.12.0/24 reject
systemctl restart postfix
Remember with this setup the first connection to the server will be rejected, SMTP clients will
reconnect, google for example will connect the the second MX, which as we have configured it is
the same, so the second connection from google to our MX server will be accepted.
Enable Postwhite
cd /usr/local/bin
sudo git clone https://github.com/spf-tools/spf-tools.git
sudo git clone https://github.com/stevejenkins/postwhite.git
cp /usr/local/bin/postwhite/postwhite.conf /etc
/usr/local/bin/postwhite/postwhite
The file is saved as /etc/postfix/postscreen_spf_whitelist.cidr
ls -l /etc/postfix/postscreen_spf_whitelist.cidr
nano /etc/postfix/main.cf
postscreen_access_list = permit_mynetworks cidr:/etc/postfix/postscreen_access.cidr cidr:/etc/postfix/postscreen_spf_whitelist.cidr
Setup whitelist cron
crontab -e
0 0 * * * /usr/bin/journalctl --no-pager --since=yesterday -u postfix@-.service | /usr/sbin/pflogsumm -d yesterday | mutt -s "Postfix log summary" -- postmaster@okdeb.com
@daily /usr/local/bin/postwhite/postwhite > /dev/null 2>&1 #Update Postscreen Whitelists
@weekly /usr/local/bin/postwhite/scrape_yahoo > /dev/null 2>&1 #Update Yahoo! IPs for Postscreen Whitelists
Don't forget to check your daily reports from pflogsumm