Postfix: Building your own DNSRBL / RHSBL
A practical approach to running your own DNSRBL/RHSBL checks in Postfix.
Summary
Postfix can query custom DNS-based blocklists (DNSRBL/RHSBL) so that local policy, not a third party, decides when to defer a message. The workflow hinges on reliable zone hosting and predictable response codes.
Minimal architecture
An in-house list needs two components: a publication zone served by an authoritative DNS server and automation that keeps the zone synchronized with your abuse desk data. TXT answers should document why an entry exists. For RHSBL data, publish wildcard records under the violating domain.
Postfix integration
Within main.cf, the smtpd_recipient_restrictions (or smtpd_client_restrictions) stanza can include reject_rbl_client or reject_rhsbl_reverse_client entries that point at your DNS zones. Treat lookups as policy hints: log the result, annotate the queue record, and prefer 450 style temporary failures unless you are sure about the classification.
Operational notes
Keep the DNS TTL short enough to support fast removals. Monitor query volume and NXDOMAIN rate so you detect typos from remote MTAs. If the list is only intended for internal use, restrict zone transfers and avoid wildcard wildfires that would block entire providers.
Further reading (German)
Keywords
Postfix, DNSRBL, RHSBL, RBL, spam filtering