Changing postfix settings on Synology DSM

Those which are not available via UI

I recently started collecting spammers' domains in my own (little) DNS blocklist. Note that it's a blocklist of domains that they use, not IP addresses.

Unlike IP addresses, which spammers can rent just for a few hours, after which IP address might go to a good sender, domain names, when registered by a spammer, keep belonging to them for at least one year, What makes them a good candidate for a low-effort long-living blocklist.

Also, I already have a DNS server in my infra, and a DynDNS server that uses that DNS server's API, so it wasn't that hard.

And one of my friends, who's actually in spam-busting business, wanted to use it to block some well-known spammers, too. But he's using Synology DSM, instead of simply self-hosting Postfix like I do.

How hard can it be to add my blocklist there? :-)

Luckily, Synology provides¹ "Mail Server" app package which actually uses Postfix under the hood and even lets you add DNS blocklists via UI, both traditional (which check IP address of connecting client server) and RHSBL blocklists. However, in case of RHSBL blocklists, it actually adds them as postfix reject_rhsbl_client setting, which checks client hostname (I'm still not sure what exactly it means: PTR? HELO?).

But we would like to use reject_rhsbl_sender setting, instead, which checks the domain that email claims to be coming from, which is what my blocklist is actually for.

Luckily, Synology Mail Server lets you overwrite postfix settings by creating a file /var/packages/MailServer/etc/customize/postfix/main.cf with settings which you would like to overwrite.

So you can simply:

1. Find out your current value of smtpd_recipient_restrictions setting:

   grep ^smtpd_recipient_restrictions /var/packages/MailServer/target/etc/main.cf
   

2. Edit it to your liking (for example, add reject_rhsbl_sender rhsbl.shpakovsky.ru at then end, but remember to separate it from previous statement with comma)

3. Write your setting to /var/packages/MailServer/etc/customize/postfix/main.cf file

4. Restart Synology Mail Server and see that your settings got applied

5. Preferably check that everything is right (at the very least that postfix is still running and mail gets delivered)

And remember that from now on, your spam-busting settings are managed not via UI, but via this config file :-)

Alternative way

Before I learned about postfix customisation file, I found the following way of modifying postfix config. I would not recommend following it, but preserve it here for historical value:

Replace the Postfix executable with a shell script that makes the necessary modification and then runs Postfix:

1. Rename master to master.orig:

   sudo mv /var/packages/MailServer/target/libexec/master{,.orig}
   

2. Create a master file with the following content:

   #!/usr/bin/env bash
   
   # in lines containing $where, replace $from with $to
   
   where='smtpd_recipient_restrictions'
   from='reject_rhsbl_client rhsbl.shpakovsky.ru'
   to='reject_rhsbl_sender rhsbl.shpakovsky.ru'
   file=/var/packages/MailServer/target/etc/main.cf
   
   sed -i "/$where/s/$from/$to/" "$file"
   
   exec -a "$0" "$0.orig" "$@"
   

3. Make it executable, and you’re done:

   sudo chmod a+x /var/packages/MailServer/target/libexec/master
   

4. Restart Mail Server app and check that desired config change is there:

   grep ^smtpd_recipient_restrictions /var/packages/MailServer/target/etc/main.cf
   

This way, your changes are likely to persist until next time you update or reinstall MailServer.