Sometimes we want to block specific domains from sending email to any of our users. If you followed the instructions to prevent nested address spoofing, the mechanism to perform system-wide sender domain blocking is already in place. If you haven’t yet deployed nested address spoofing, please go ahead and do so now, as doing so will block a large number of phishing attack emails. Come back here after you are done. OK?
Let’s say you keep getting blasted with promotions for sales lead generation or other unwanted marketing services repeatedly from sales people at the bestsalesleadgenerators.com domain. Probably some of your staff have already added the domain or one of the senders to their email Filters, but filter processing is very expensive from a resource standpoint. Blocking these senders at the front door is much more efficient.
To do so, all we need to do is add those domains to the /opt/zimbra/conf/sender_pcre file on our Zimbra MTA, understanding that this file has some syntax requirements (documented here).
Here’s what the file looks like after adding that problematic domain we want to block:
/@.*@/ reject /bestsalesleadgenerators\.com/ reject
After you edit the file, we need to let Postfix know about it, so just run as the zimbra user:
postfix reload
You are done!
If you want to block additional domains, just add them, each on a new line. Please note that blocking a specific domain will also block all subdomains!
You can see the results of your good efforts in the Daily Mail Report in the “Sender address rejected” section:
Sender address rejected: Access denied (total: 278) 13 noreply@leadgenmarketingfirm1.info 12 postmaster@leadgenmarketingfirm2.io 2 us@ev72.leadgenmarketingfirm3.net 1 eemmal@leadgenmarketingfirm4.com 1 ghernandez@leadgenmarketingfirm5.com 1 ishan@s1004.dictionaryattackerdomain.com 1 chris@s1009.dictionaryattackerdomain.com 1 jaymclaughlin@s144.dictionaryattackerdomain.com 1 isehgal@s159.dictionaryattackerdomain.com 1 sameera_takhtani@s176.dictionaryattackerdomain.com 1 dennis@s186.dictionaryattackerdomain.com 1 stakhtani@s244.dictionaryattackerdomain.com 1 jca@s264.dictionaryattackerdomain.com 1 ishan.sehgal@s273.dictionaryattackerdomain.com <snip>
Hope that helps,
L. Mark Stone
Mission Critical Email LLC
26 May 2022; Updated 11 June 2022 with Daily Mail Report data
The information provided in this blog is intended for informational and educational purposes only. The views expressed herein are those of Mr. Stone personally. The contents of this site are not intended as advice for any purpose and are subject to change without notice. Mission Critical Email makes no warranties of any kind regarding the accuracy or completeness of any information on this site, and we make no representations regarding whether such information is up-to-date or applicable to any particular situation. All copyrights are reserved by Mr. Stone. Any portion of the material on this site may be used for personal or educational purposes provided appropriate attribution is given to Mr. Stone and this blog.