These instructions have only been lightly tested but should give a good overview of how to configure your Postfix server to only allow deliveries from SpamHero IP addresses. These instructions should work for Postfix v2.2 and newer.
Before getting started, confirm that your domain is configured to use the SpamHero static delivery IPs.
- From within the SpamHero control panel go to Settings > Delivery Mail host or use this shortcut: https://www.spamhero.com/cp/settings/mail-host
- On the Delivery mail host page, switch your Mail host configuration to Mail host will only accept email from specific IPs or on a specific port. Doing so will ensure that we always use the same IPs to deliver your mail. You can also find the most current list of IP addresses here as well:
Always make a backup copy of your Postfix configs before making any changes details
sudo tar -czvf /etc/postfix-beforeSpamHeroUpdate.tar.gz /etc/postfix
If something goes wrong and you need to revert all changes, use this line:
sudo tar -xzvf /etc/postfix-beforeSpamHeroUpdate.tar.gz -C /etc/
- Open the Postfix configuration file, usually located at
/etc/postfix/main.cf, in a text editor with administrative privileges.
- Add or modify the following settings:
If any of these settings already exist, do not replace them. Instead, add the associated values to the end of the same line (without introducing any duplicate values). For example, if your config already has
smtpd_recipient_restrictions then copy the values from the settings below to the end of the existing config line and then remove repeat values so that
reject remains at the end of the line.
# Only accept deliveries to local users from these IP addresses
smtpd_recipient_restrictions = permit_mynetworks, check_client_access hash:/etc/postfix/client_ip, reject
# Only allow relaying from trusted IP addresses
smtpd_relay_restrictions = permit_mynetworks, reject
# Specify the allowed IP addresses and ranges for deliveries to local users
smtpd_client_restrictions = check_client_access cidr:/etc/postfix/client_ip
# Specify the network masks for the allowed IP addresses and ranges
smtpd_authorized_xforward_hosts = cidr:/etc/postfix/client_ip
- Save and close the
- Create or modify the file
/etc/postfix/client_ip with the following IP ranges (add your own authorized IP addresses to this list as well):
As of February 24, 2023, this includes IP addresses that have yet to be officially published in the SpamHero control panel (but should be soon).
- Save and close the
- Use the
postmap command to create a hashed database file for the
sudo postmap /etc/postfix/client_ip
- Reload the Postfix configuration by running:
With these settings, Postfix should only accept deliveries to local users from SpamHero IP addresses and ranges, and it will reject any delivery attempts from other IP addresses.