I start greylisting on the firewall and thats ok but should I implement
a dedicated system for rspamd and relay the "ok-Mails" from there to the
mailsystem or simply run rspamd on the mailsystem und plug it front of
the mailserver like postfix?
aha so if you are using Postfix then there are plenty anti-spam features
that truly reduces the amount of spam and almost wipes it all out
**during the SMTP session**: `man 5 postconf` and search for those
patterns (this is postfix 3.1).
# NETWORK restrictions (smtpd_client_restrictions)
check_policy_service unix:private/policy
reject_unknown_client_hostname
check_client_access hash:/etc/postfix/client_access
reject_rbl_client ...
reject_unauth_pipelining
unknown_client_reject_code = 554
smtpd_data_restrictions = reject_unauth_pipelining
# HELO/EHLO restrictions
reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname
reject_unknown_helo_hostname
regexp:/etc/postfix/helo.regexp
# MAIL FROM restrictions
check_sender_access hash:/etc/postfix/sender_access,
reject_non_fqdn_sender,
reject_unknown_sender_domain
# RCPT TO restrictions
reject_non_fqdn_recipient,
reject_unknown_recipient_domain
unknown_address_reject_code = 554
if some spam comes through that, it is a pretty one (and even passed tru
the SPF check). This already gets rid of 98% of the spam for me.
Adding rspamd or whatever milter on top of that would clearly get you to
99%. No greylisting is needed.
Eventually make sure STARTTLS is enabled so the MX talk through TLS,
setup your SPF records for your domain and eventually setup DKIM.
