Byung-Hee HWANG a écrit : > Hi, i'm not a serious hacker nor a power user for Postfix. I'm just > using Postfix. Recently, i'm interested in setup ideal mail server for > outgoing. Already i moved my mailbox to Google Apps because i could not > handle so many spam. So now making receiving SMTP is not my concern. > Only my concern is to make outgoing SMTP in perfect. > > As fas as i know, here are many Postfix guru. So just i wish to hear > various opinions about making outgoing SMTP perfectly. Whenever i have > some times, i search about DKIM and RFCs for SMTP standard. What is the > real point for ideal outgoing mail server? I investigate with some mail > servers on the Internet, postfix.org's MX, isc.org's MX and > freebsd.org's MX and gnu.org's MX, ietf.org's MX, mipassoc.org's MX, > gmail.com's MX, some univeristy's MXs, etc. > > After all, i thought that the conditions for perfect outgoing mail > server are providing a correct rDNS and a correct signature as like DKIM > and a correct certificate-based authentication as like TLS. Besides > that, is there any the conditions? Well, i just curious about that.. >
Ideal and perfect refer to theoritical concepts that don't exist in practice :) - your server should not be a source of spam (sending, forwarding, relaying, ...). Filtering and/or rate limiting outbound mail can help here. - your server should not be a source of abusive mail practices (backscatter, including C/R, too many retries, ... etc) - More generally, your server should not be a source of attacks of any sort (port scans, dictionary attacks, vulnerability probes, ...) - you should make it easy for others to whitelist your server. This is particularly important if you are inside a "dirty network". - you should be reachable and responsive (abuse@ and postmaster@). - your network config should follow best practice: correct and meaningful rDNS, Unfortunately, this is not always possible. but times are getting hard for customers of ISPs without correct and/or custom rDNS, although things may change with IPv6. - your server HELO should be "meaningful" (contrast with generic like ip4-ip3-ip2-ip1.isp.example), fqdn (not literal IP) and should resolve in DNS, preferably to the server IP. - Use the submission port (587) with TLS+SASL.
