On Wed, 26 Sep 2018 16:32:35 +0200 Aham Brahmasmi wrote: > 1) Could you please suggest some script/mechanism that performs > these DNS PTR == SMTP HELO, envelope-address-from-domains-have-MX et > al checks with OpenSMTPD as the MTA?
Sorry Aham, I don't know of any. OpenSMTPd's filter interface is not yet usable (last update 12/2014): http://www.poolp.org/posts/2014-12-12/the-state-of-filters/ > I may be wrong here, but I could not see options to perform these > useful checks in smtpd(8)/smtpd.conf(5) man pages. About 2.5 years ago I evaluated changing my front line MTAs from Postfix to OpenSMTPd, but found too much functionality missing then: # -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= No client ((r)DNS) client hostname restrictions: smtpd_helo_restrictions = reject_invalid_helo_hostname reject_non_fqdn_helo_hostname reject_unknown_helo_hostname smtpd_client_restrictions = reject_unknown_client_hostname smtpd_sender_restrictions = reject_non_fqdn_sender reject_unlisted_sender reject_unknown_sender_domain smtpd_recipient_restrictions = reject_non_fqdn_recipient reject_unlisted_recipient reject_unknown_recipient_domain Postfix can reject (5XX) or defer (4XX) connections based on many DNS parameters. See: http://www.Postfix.Org/postconf.5.html Hack: modify greyscanner to handle white & black lists Hack: SpamAssassin + relaydb (can't reject at SMTP CONNECT, must accept, parse & tag) After failing to pass greylisting, bad DNS is the primary sign of spam. Because DNS checks can be done at connection (before the DATA stage and mail acceptance), they are very much faster and lighter weight than shoving the entire mail through a heavy spam detection engine. Running Unbound on each mail server, and having each mail server's Unbound daemon refer to another upstream Unbound instance, is extremely effective in caching the DNS lookups. This is in contrast to EVERY mail being parsed by a spam detection engine... way too resource intensive! # -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= No DNSBL weighting - http://www.Postfix.Org/postscreen.8.html Hack: SpamAssassin + relaydb (can't reject at SMTP CONNECT, must accept, parse & tag) # -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Missing strict RFC checks (spam often doesn't conform to RFCs): strict_7bit_headers = yes strict_8bitmime = yes strict_8bitmime_body = yes strict_mime_encoding_domain = yes strict_rfc821_envelopes = yes Hack: SpamAssassin + relaydb (can't reject at SMTP CONNECT, must accept, parse & tag) # -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= No connection rate limiting: smtpd_client_connection_count_limit = XX smtpd_client_connection_rate_limit = XXX Hack: pf # -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= No submission user authentication via Dovecot (e.g: CRAM-MD5): smtpd_sasl_type = dovecot smtpd_sasl_path = private/dovecot-auth # chroot smtpd_sasl_security_options = noanonymous, noplaintext Hack: POP/IMAP before SMTP # -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > In case greyscanner does this, please disregard this question. I came > to know about greyscanner in this thread, but struggle with > understanding perl. I heavily modified greyscanner to do a lot of the DNS checks. I found the script's current maintainer extremely reluctant to implement even very small bug fixes & general improvements, so I didn't even bother presenting the vast bulk of my mods. But I stopped using greyscanner about 5 years ago after setting spamd to be extremely aggressive, and deploying Postfix's new postscreen (written in C). > 2) Is IPv6 support in spamd essential? I've not even begun to use IPv6 at all, for anything. I'm IPv4 only. I hope to use OpenSMTPd on external mail servers some day. Cheers, -- Craig Skinner | http://linkd.in/yGqkv7
