On 7/09/24 19:25, Gilgongo via Postfix-users wrote:
I notice Spamhaus say that for smaller hosts, RBL blocking at smtp level
is not recommended, and instead it’s better to use a milter for RBL
checking.
https://docs.spamhaus.com/datasets/docs/source/40-real-world-usage/PublicMirrors/MTAs/030-Sendmail.html
<https://docs.spamhaus.com/datasets/docs/source/40-real-world-usage/PublicMirrors/MTAs/030-Sendmail.html>
First off you should be linking to the postfix doc, not the sendmail
one, but it says the same thing. What they're saying is not
specifically about using a milter vs native smtpd rbl blocking but
rather to use a comprehensive anti-spam solution that takes the rbl
listing into account as a part of the spam score. Do note that no
mention is made of postscreen here. The issue with this is that
comprehensive spam solutions such as SpamAssassin have to do deep
content scanning of each message and this ends up requiring a lot more
resources than would be required if you blocked via postscreen or even
via smtpd.
Postscreen has several advantages here in that it allows you to block
based on a weighted score, so that you can give each individual RBL a
score based on how reliable you believe it to be and then require a
certain score in order to actually block. It's not as comprehensive as
SpamAssassin but is more tunable than smtpd and a lot lighter weight, so
if you can eliminate a lot of spam based on postscreen RBL blocking then
you end up passing way fewer messages through to SpamAssassin and thus
considerably lessen the load on your system. SpamAssassin can then do a
more comprehensive (and decidedly more resource intensive) scan on the
remaining mail to flag the bulk of the rest.
FYI here's my postscreen RBL config:
postscreen_blacklist_action = drop
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2;4..11]*3
zen.spamhaus.org=127.0.0.3*2 b.barracudacentral.org=127.0.0.2*2
bl.spameatingmonkey.net=127.0.0.2*2 bl.spamcop.net=127.0.0.2
psbl.surriel.com=127.0.0.2 bl.mailspike.net=127.0.0.[2;10..12]
list.dnswl.org=127.0.[2..20].0*-2 list.dnswl.org=127.0.[2..20].1*-3
list.dnswl.org=127.0.[2..20].[2..3]*-4
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_whitelist_threshold = -1
Please don't just copy this yourself, but rather look into what each of
those settings does (read the docs referenced below) and look up each of
those RBLs to see for yourself what they do and if they have any special
requirements for their usage (some require registration, etc).
Reference: postconf(5), postscreen(8), POSTSCREEN_README
Peter
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
