On 2024-03-17 at 05:55:43 UTC-0400 (Sun, 17 Mar 2024 10:55:43 +0100)
Matus UHLAR - fantomas via Postfix-users <uh...@fantomas.sk>
is rumored to have said:
On 15.03.24 15:06, Noel Jones via Postfix-users wrote:
Postscreen by design only looks at the IP, and has no mechanism to
consider other envelope data.
The solution is to not use a DNSBL that routinely blocks wanted mail
in postscreen.
Or, set postscreen_dnsbl_threshold high enough so it does not rely on
listing in single list. You could e.g. set up:
postscreen_dnsbl_sites =
zen.spamhaus.org=127.0.0.[0..255]
dnsbl.sorbs.net=127.0.0.[0..255]
bl.spamcop.net=127.0.0.2
list.dnswl.org=127.0.[0..255].[0..255]*-1
list.dnswl.org=127.0.[0..255].3*-1
postscreen_dnsbl_threshold=2
maybe if you trust spamhaus enough, append *2 to it
It is not about "trusting spamhaus" but rather understanding what
Spamhaus intends the Zen aggregate to be. It is unsuitable for
postscreen *by design* if you treat any last octet as a hit. The same
problem exists for SORBS and SpamCop. The unwanted hit you might get out
of some of the Zen subcomponents stand a real chance of being hit for
the same reasons by the others. They are not entirely independent
factors.
Concretely: that combination is likely to cause you to block individual
random behemoth mailbox provider outputs and chunks of VPS hosting space
including non-spammers for hours to days at a time. That risk may
acceptable for some sites, but it goes well beyond postscreen's explicit
design intent.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
