Setup Email Server From Scratch On FreeBSD #2 - 13 Postscreen

12 Amavis Clam AntiVirus <- Intro -> 25 IMAPSYNC

We believe in data independence, and support others who want data independence.
This tutorial is complete 2025-08-14 except there is no page for setting up postscreen.
This is version 2 and everthing works.

########################################
# Reducing Server Load With Postscreen #
########################################

Postfix can spawn up to 100 processes to handle SMTP connections so it is
better to reduce the number of spammy connections before they hit postfix,
Postscreen is build into postfix versions greater than Postfix 2.8.

postconf mail_version
mail_version = 3.10.3

The first step is to make changes to master.cf but the example I had explained
that postscreen first scans the email then passes it to smtpd so where to put
the VERIFYING macro for spf checking? It seemed to make sense to put the macro
in the smtpd after postscreen, I tried it and all works!

nano /usr/local/etc/postfix/master.cf
#smtp inet n - n - - smtpd # -o milter_macro_daemon_name=VERIFYING smtp inet n - n - 1 postscreen smtpd pass - - n - - smtpd -o milter_macro_daemon_name=VERIFYING dnsblog unix - - n - 0 dnsblog tlsproxy unix - - n - 0 tlsproxy

nano /usr/local/etc/postfix/main.cf
--- add to end of file ---
# Postscreen postscreen_access_list = permit_mynetworks cidr:/etc/postfix/postscreen_access.cidr cidr:/usr/local/etc/postfix/postscreen_spf_whitelist.cidr postscreen_blacklist_action = drop postscreen_dnsbl_threshold = 3 postscreen_dnsbl_action = enforce postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org=127.0.0.[2..11]*2 bl.spameatingmonkey.net*2 bl.spamcop.net dnsbl.sorbs.net swl.spamhaus.org*-4, list.dnswl.org=127.[0..255].[0..255].0*-2, list.dnswl.org=127.[0..255].[0..255].1*-4, list.dnswl.org=127.[0..255].[0..255].[2..3]*-6

Edit again to remove permit_dnswl_client and reject_rbl_client since these are handled by postscreen

nano /usr/local/etc/postfix/main.cf
--- edit smtpd_recipient_restrictions comment/remove permit_dnswl_client and reject_rbl_client ---
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access pcre:/usr/local/etc/postfix/noreply_recipients, check_policy_service unix:private/policyd-spf check_policy_service inet:127.0.0.1:10023 check_client_access hash:/usr/local/etc/postfix/rbl_override, reject_rhsbl_helo dbl.spamhaus.org, reject_rhsbl_reverse_client dbl.spamhaus.org, reject_rhsbl_sender dbl.spamhaus.org # permit_dnswl_client list.dnswl.org=127.0.[0..255].[1..3], # permit_dnswl_client swl.spamhaus.org, # reject_rbl_client zen.spamhaus.org

Add the mail server external addresses to skip postscreen checking our own emails.

nano /usr/local/etc/postfix/postscreen_access.cidr
147.135.37.135/32 permit 2604:2dc0:200:187::1/128 permit # sample reject 192.168.22.22/32 reject

service postfix restart
postfix/postfix-script: stopping the Postfix mail system
postfix/postfix-script: starting the Postfix mail system

service postfix status
postfix is running as pid 36518


Pregreet test and other ways to improve postscreen performance and reduce mail delays.

nano /usr/local/etc/postfix/main.cf
postscreen_access_list = permit_mynetworks cidr:/etc/postfix/postscreen_access.cidr cidr:/usr/local/etc/postfix/postscreen_spf_whitelist.cidr postscreen_blacklist_action = drop postscreen_dnsbl_threshold = 3 postscreen_dnsbl_action = enforce postscreen_greet_action = enforce #postscreen_greet_action = drop postscreen_pipelining_enable = yes postscreen_pipelining_action = enforce postscreen_non_smtp_command_enable = yes postscreen_non_smtp_command_action = enforce postscreen_bare_newline_enable = yes postscreen_bare_newline_action = enforce # ways to make google better postscreen_dnsbl_whitelist_threshold = -2

Deep Protocol Tests

Comment out these so the IP's are not checked twice by postscreen and greylist 10023

nano /etc/postfix/main.cf
smtpd_recipient_restrictions = ... #check_policy_service inet:127.0.0.1:10023, ...


Remember with this setup the first connection to the server will be rejected, SMTP clients will
reconnect, google for example will connect the the second MX, which as we have configured it is
the same, so the second connection from google to our MX server will be accepted.

Postwhite

cd /usr/local/bin
sudo git clone https://github.com/spf-tools/spf-tools.git
sudo git clone https://github.com/stevejenkins/postwhite.git
cp /usr/local/bin/postwhite/postwhite.conf /etc

Configure Postwhite

nano /etc/postwhite.conf
# FILE PATHS spftoolspath=/usr/local/bin/spf-tools postfixpath=/usr/local/etc/postfix postfixbinarypath=/usr/local/sbin whitelist=postscreen_spf_whitelist.cidr blacklist=postscreen_spf_blacklist.cidr yahoo_static_hosts=/usr/local/bin/postwhite/yahoo_static_hosts.txt

Run Postwhite

/usr/local/bin/postwhite/postwhite

The file is saved as /etc/postfix/postscreen_spf_whitelist.cidr

ls -l /usr/local/etc/postfix/postscreen_access.cidr
ls -l /usr/local/etc/postfix/postscreen_spf_whitelist.cidr

nano /usr/local/etc/postfix/main.cf
postscreen_access_list = permit_mynetworks cidr:/usr/local/etc/postfix/postscreen_access.cidr cidr:/usr/local/etc/postfix/postscreen_spf_whitelist.cidr

service postfix restart
service postfix status

Setup Postwhite cron to update postwhite list

crontab -e
0 2 * * 1 /usr/local/bin/certbot renew --quiet && apachectl restart 30 0 * * * bzcat /var/log/maillog.0.bz2 | pflogsumm -d yesterday | /usr/local/bin/mutt -s "Postfix log summary" -- postmaster@okbsd.com 0 1 * * * /usr/local/bin/sa-update && service sa-spamd restart 0 2 */2 * * /usr/local/bin/postwhite/postwhite > /dev/null 2>&1 #Update Postscreen Whitelists

Don't forget to check your daily reports from pflogsumm

12 Amavis Clam AntiVirus <- Intro -> 25 IMAPSYNC