Postallow Keeping Legitimate Mail Out of Postscreen's Way

7 minute
1303 words

Postallow: Keeping Legitimate Mail Out of Postscreen’s Way

Running your own mail server is one of those projects that just keeps giving. There’s always something to tweak, something to learn, something to improve. And every now and then, you stumble across a tool that quietly makes the whole thing better. Every now and then you’re also waiting for a one-time password to arrive by email. Thirty seconds pass. A minute. The OTP form is staring at you, the clock is ticking, and the code hasn’t arrived yet. That’s greylisting doing its job — on the wrong mail. This is one of those stories.

Background: How I Got Here

I’ve been running my own mail server for a while now — long enough that it just feels like a normal part of my infrastructure. When Michael W Lucas announced Run Your Own Mail Server , I picked it up not because I needed to get started, but because I wanted to get better. Lucas has a gift for making complex topics approachable without dumbing them down, and RYOMS delivered — I came away with a handful of ideas I hadn’t considered and a few configurations I quietly went back and improved.

One of those ideas was Postwhite , a tool Lucas mentions alongside his Postscreen configuration. Postwhite is no longer maintained, so I picked it up, dusted it off, and have been maintaining it as Postallow since. That’s what this post is about.

The Problem: Postscreen Is a Blunt Instrument (By Design)

Postscreen sits in front of Postfix’s SMTP daemon and runs a gauntlet of checks against every incoming connection before it ever gets to the point of receiving mail. It checks DNS blocklists, tests for protocol compliance, enforces greeting delays, and generally makes life difficult for the kind of low-effort spam bots that make up the bulk of internet noise.

My Postscreen configuration looks something like this:

PLAINTEXT 
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_whitelist_threshold = -2
postscreen_dnsbl_action = enforce
postscreen_greet_action = enforce
postscreen_dnsbl_sites =
  <snip>.zen.dq.spamhaus.net=127.0.0.[2..255]*3
  <snip>.authbl.dq.spamhaus.net=127.0.0.[2..255]*2
  psbl.surriel.com=127.0.0.[2..255]*2
  dnsrbl.swinog.ch=127.0.0.[2..255]*2
  <snip>.spam.spamrats.com=127.0.0.38*2
  <snip>.noptr.spamrats.com=127.0.0.37
  <snip>.dyna.spamrats.com=127.0.0.36
  swl.spamhaus.org*-4
  list.dnswl.org=127.0.[0..255].[1..3]*-4
postscreen_pipelining_enable = yes
postscreen_pipelining_action = enforce
postscreen_bare_newline_enable = yes
postscreen_access_list = permit_mynetworks,
  cidr:/etc/postfix/postscreen-allow.cidr,
  cidr:/etc/postfix/postscreen_spf_allowlist.cidr
Click to expand and view more

That last bit — postscreen_access_list — is where Postallow comes in. But let me explain the problem first.

A note on the <snip> placeholders: the Spamhaus DQS (Data Query Service) blocklists, Spamrats, and others, require a personal access code, which is embedded directly in the DNS query hostname. Think of it like an API key baked into the lookup. You get it when you register (which is free).

Postscreen is deliberately aggressive. That’s the point. But large legitimate senders — think Google, Mailchimp, SendGrid, Brevo, and their ilk — often send from IP ranges that can trip Postscreen’s checks. They rotate IPs frequently, use massive shared infrastructure, and sometimes don’t play nicely with greylisting. The result: that OTP you’re waiting for is sitting in a greylist queue somewhere, and the form has already timed out. The classic fix is an allowlist — a list of IP addresses that Postscreen lets through without running its full gauntlet. But maintaining that by hand is a fool’s errand. These providers rotate their sending IPs constantly.

The Solution: Let SPF Records Do the Work

This is where Postallow’s insight comes in. Legitimate bulk mailers publish SPF records — DNS records that declare exactly which IP addresses are authorised to send mail on their behalf. Those records exist precisely to be machine-readable. Postallow queries the SPF records of a curated list of known legitimate mailers, extracts all the IP ranges, and compiles them into a CIDR allowlist that Postscreen can consume directly.

The result lands in /etc/postfix/postscreen_spf_allowlist.cidr, which is exactly what I have wired into my postscreen_access_list above. When a connection comes in from an IP on that list, Postscreen waves it through immediately — no DNSBL checks, no greeting delay, no protocol tests. It goes straight to Postfix’s SMTP daemon, where Rspamd and my other milters pick up the job of actually evaluating the mail.

It’s worth being clear about what this does and doesn’t mean: Postallow gets legitimate senders past Postscreen’s blunt-instrument phase. The mail still goes through Rspamd , DKIM verification, SPF policy checking, and quota checks. The layered defence is still very much intact — we’re just not making Google’s mail servers sit in a queue to prove they’re not a zombie.

What’s New in Postallow

Postallow is a maintained fork of the original Postwhite, and it’s had some meaningful improvements since the original. Here’s a quick rundown:

  1. No Longer Runs as Root This one matters quite a bit on a production server. The original Postwhite needed root privileges to reload Postfix after regenerating the allowlist. Postallow delegates the reload to the init system instead, so the tool itself can run as an unprivileged user. For anyone who cares about the principle of least privilege on a server that handles real mail, this is a meaningful improvement.

  2. APT Packaging For Debian and Ubuntu users, Postallow can now be installed directly from an APT repository. A .deb package is built and published automatically on every release, which means you can install it with apt and get updates the same way. No more manually pulling from GitHub and hoping you remember to check back.

  3. Makefile-Based Installation For everyone else — AlmaLinux, FreeBSD, anything else Unix-like — there’s now a Makefile with install and uninstall targets. All the helper scripts (scrape_yahoo, query_mailer_ovh) are included. I’ll admit this was partly an excuse to learn a bit more about autotools, but it makes the install genuinely straightforward on any supported platform.

  4. Man Pages man postallow now works and reflects the installed version. Small thing, but the kind of polish that signals a tool is being properly maintained.

  5. Broader Platform Testing CI now covers Ubuntu, Debian 13, AlmaLinux 9 and 10, and FreeBSD 15. Every change is tested across all of them. If it breaks on any of those platforms, I know about it before it reaches you.

  6. Bug Fixes Several correctness and portability fixes have landed: POSIX-compatible seq instead of brace expansion (important for FreeBSD compatibility), properly quoted variable paths, fixed blocklist variable names, and a symlink-attack security fix in query_mailer_ovh.

Where It Fits In My Setup

To put it all together: my mail goes through these layers, roughly in order.

  1. Postscreen checks whether the connecting IP is on my local allowlists first (including the Postallow-generated CIDR file). If it’s allowlisted, it skips the rest of Postscreen entirely.
  2. If not allowlisted, Postscreen runs DNSBL scoring, greeting tests, and protocol compliance checks. Connections that score too high get rejected or deferred.
  3. Mail that makes it past Postscreen reaches Postfix’s SMTP daemon, where Rspamd does the heavy lifting — spam scoring, DKIM verification, and so on.
  4. policyd-spf applies SPF policy checks, and a quota daemon makes sure users aren’t over their limits.

Postallow makes layer 1 actually useful — without it, I’d either be maintaining that CIDR file by hand or greylisting mail from Google’s servers and wondering why my OTPs are arriving cold.

Closing Thoughts

I run a mail server because I find it genuinely interesting, because I value owning my own data, and because there’s a particular satisfaction in watching the logs and knowing exactly what’s happening to mail that arrives at my door.

Tools like Postallow are what make that sustainable. It’s small, it does one thing, it does it well.

I’d love for you to take a look at Postallow on GitHub , try it out, and let me know what you think. If you have any suggestions or find bugs, please do post them! I thank you in advance.

And if you’re looking to level up your mail server game generally, Michael W Lucas’ Run Your Own Mail Server remains an excellent companion.

Start searching

Enter keywords to search articles

↑↓
ESC
⌘K Shortcut