Blacklist by Header

N

nstk-2025

New Member
Jun 12, 2025
2
0
1
I'm trying to figure out how to block by Header domain. I've tried using various solutions with no luck. I've added a REGEX to my blacklist for the WHO, and I've added another Blacklist for the What using the MatchField From neither works. I'm including my RegEx, and email header info. These mail servers will send all kinds of marketing junk from various sender domains.

I am trying to block ANYTHING coming in from marketing mail servers that come in 'connect from' klaviyomail.com within the header info.
Again, these are 2 separate rules in my Blacklists.

Regex in WHO: (.*\.)?klaviyomail\.com.*
MatchField From in WHAT: klaviyomail.com

2025-11-07T09:07:04.100560-06:00 mx02 postfix/smtpd[456626]: connect from o1380.shared.klaviyomail.com[149.72.196.98]

2025-11-07T09:07:04.430205-06:00 mx02 postfix/smtpd[456626]: Anonymous TLS connection established from o1380.shared.klaviyomail.com[149.72.196.98]: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
2025-11-07T09:07:04.714187-06:00 mx02 postfix/smtpd[456626]: AE32782: client=o1380.shared.klaviyomail.com[149.72.196.98]
2025-11-07T09:07:04.872870-06:00 mx02 postfix/cleanup[457025]: AE32782: message-id=<-6JY6BHfS222222222Xb7Gnw@geopod-ismtpd-1>
2025-11-07T09:07:05.032684-06:00 mx02 postfix/qmgr[756]: AE321782: from=<bounces+22962499-1893-myuser=mydomain.com@send.lolavie.com>, size=92498, nrcpt=1 (queue active)
2025-11-07T09:07:05.093142-06:00 mx02 pmg-smtp-filter[456939]: 21FAA6291292B: new mail message-id=<-6JY6BHfS22222222nw@geopod-ismtpd-1>
2025-11-07T09:07:05.093284-06:00 mx02 pmg-smtp-filter[456939]: 21FAA291292B: From: LolaVie <support@lolavie.com>
2025-11-07T09:07:05.119482-06:00 mx02 postfix/smtpd[456626]: disconnect from o1380.shared.klaviyomail.com[149.72.196.98] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
2025-11-07T09:07:06.047481-06:00 mx02 pmg-smtp-filter[456939]: 21FAA2191292B: SA score=0/5 time=0.838 bayes=undefined autolearn=disabled hits=DKIM_SIGNED(0.1),DKIM_VALID(-0.5),DKIM_VALID_AU(-0.1),DMARC_PASS(-0.1),HTML_FONT_LOW_CONTRAST(0.001),HTML_MESSAGE(0.001),KAM_BODY_MARKETINGBL_PCCC(0.001),KAM_MARKETINGBL_PCCC(1),RCVD_IN_MSPIKE_H4(0.001),RCVD_IN_MSPIKE_WL(0.001),SPF_HELO_NONE(0.001),SPF_PASS(-0.001)
2025-11-07T09:07:06.051737-06:00 mx02 postfix/smtpd[456747]: connect from localhost.localdomain[127.0.0.1]
2025-11-07T09:07:06.052587-06:00 mx02 postfix/smtpd[456747]: 0CC208E: client=localhost.localdomain[127.0.0.1], orig_client=o1380.shared.klaviyomail.com[149.72.196.98]
2025-11-07T09:07:06.053646-06:00 mx02 postfix/cleanup[456686]: 0CC28E: message-id=<-6JY6BHfSUG222222222od-ismtpd-1>
2025-11-07T09:07:06.099753-06:00 mx02 postfix/qmgr[756]: 0CC6208E: from=<bounces+22962499-1893-myuser=mydomain.com@send.lolavie.com>, size=93693, nrcpt=1 (queue active)
2025-11-07T09:07:06.099867-06:00 mx02 pmg-smtp-filter[456939]: 21FAA690E0B191292B: accept mail to <myuser@mydomain.com> (0CC2208E) (rule: default-accept)
2025-11-07T09:07:06.100274-06:00 mx02 postfix/smtpd[456747]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
2025-11-07T09:07:06.103119-06:00 mx02 pmg-smtp-filter[456939]: 21FAA220B191292B: processing time: 1.02 seconds (0.838, 0.105, 0)
2025-11-07T09:07:06.103557-06:00 mx02 postfix/lmtp[456693]: AE3F721782: to=<myuser@mydomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.5, delays=0.43/0/0.04/1, dsn=2.5.0, status=sent (250 2.5.0 OK (21FA22B191292B))
2025-11-07T09:07:06.104147-06:00 mx02 postfix/qmgr[756]: AE3F721782: removed
2025-11-07T09:07:06.154365-06:00 mx02 postfix/smtp[456619]: Trusted TLS connection established to 10.22.0.11[10.22.0.11]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
2025-11-07T09:07:06.169733-06:00 mx02 postfix/smtp[456619]: 0CC632208E: to=<myuser@mydomain.com>, relay=10.22.0.11[10.22.0.11]:25, delay=0.12, delays=0.05/0/0.05/0.01, dsn=2.0.0, status=sent (250 Requested mail action okay, completed)
2025-11-07T09:07:06.170230-06:00 mx02 postfix/qmgr[756]: 0CC632208E: removed
 
Code: 
What Objects - Add "BAD RCVD" - Add "Match Field"
Field: Received
Value: klaviyomail\.com
Then the "BAD RCVD" Object is added to the new rule "Block RCVD" with Action "Quarantine" (replace with "Block" after testing)
 
  • Like
Reactions: nstk-2025
Welcome nstk-2025!

From your logs I understand that you want to block by "client" (in the SMTP meaning).
Particularly with using smtpd_client_restrictions

Mind that I don't know if there's a GUI option for that, but in the Postfix configuration I put in the main.cf file:

smtpd_client_restrictions =
...
check_client_access hash:/etc/postfix/badclients,
...

Then in /etc/postfix/badclients I put:

.klaviyomail.com REJECT
# or if the IP addresses are known and quite static:
149.72.196.98 REJECT

Next execute postmap hash:badclients

If you modify main.cf you must reload postfix.
After consecutive modifying badclients you don't need to reload postfix, just execute the above postmap command.

For details see
https://www.postfix.org/access.5.html
https://www.postfix.org/SMTPD_ACCESS_README.html#lists
https://www.postfix.org/postconf.5.html#smtpd_client_restrictions
 
  • Like
Reactions: nstk-2025
Badej said:
Code: 
What Objects - Add "BAD RCVD" - Add "Match Field"
Field: Received
Value: klaviyomail\.com
Then the "BAD RCVD" Object is added to the new rule "Block RCVD" with Action "Quarantine" (replace with "Block" after testing)
Click to expand...

Thank you Badej, I appreciate your advice. I have added this change and it has been working so far as expected at least on the last dozen or so that came in over this short period. I basically was missing the correct terminology in the entry 'Field' (Received)

Are you aware of some sort of list available that shows all the 'Field' word options for the Match Fields?
 
You must log in or register to reply here.
Top Bottom