On Thursday 20 August 2009 22:56:31 Olivier Nicole wrote: > > I'm running postfix, amavisd-new and spamassassin. Currently in my > > postfix smtpd_recipient_restrictions right at the end last thing i have > > some rbl checks. I'm wondering if that's the best place for them or > > should i disable that and activate them in spamassassin? Suggestions > > welcome. > > This is a difficult question.
I disagree. First part I'd pick on is "some rbl checks". Know your DNSBL. Read their policies. Subscribe to announce lists if they offer it. Many HOWTOs you might find on the 'net show an assortment of DNSBLs being queried, and beginners quite foolishly copy that assortment without thought. Big mistake! The only DNSBL I would recommend for widespread use is Zen, http://www.spamhaus.org/zen/ . The "Caution" advised is easily addressed in Postfix by putting restrictions to permit relaying ahead of the reject_rbl_client lookup: precisely as Dave has it. But do note that there's a risk in using a DNSBL in content inspection. > Do you really 100% trust the rbl you are using to have no false > positive (some were listing gmail.com recently)? 1. Again, know your DNSBL. 2. Gmail is not squeaky clean, it's no surprise that they end up in DNSBLs at times. I think this was SORBS. They also get into the automated Spamcop DNSBL. It's not a "false positive", because they were listed for actually relaying spam. (Most of the 419's I see tend to come from gmail.) 3. If Zen makes a mistake or gets too aggressive, I guarantee yours will not be the only site blocking mail from that sender. The sending site is going to have to resolve the issue. 4. Quite often the real mail blocked by Zen is XBL. That's typically important as a wake-up call to the administrator of the blocked site; perhaps they have a virus or 37 spewing. (BTDT, myself.) 5. A reject_rbl_client "false positive" results in the sender getting an immediate bounce. The sender knows the mail was not delivered. Rejection in a post-queue content_filter requires the difficult choice: do you bounce, and risk getting yourself listed as a backscatter source? Or, do you deliver to quarantine, and risk having real mail lost in the deluge? Or, do you just give it all to our friend Dave Null, and ensure that real mail will be lost sooner or later? > If yes, the you can keep the rbl in postfix, it rejects the email > at earlier stage. > > If no, you better test rbl in SA, as the rbl test only contributes > to the final score. > > I personnally use the second. And that's a misuse of a good RBL. Sure, some of them are more appropriate in scoring. Don't use those with reject_rbl_client. It's also a huge waste of bandwidth and resources. It varies from site-to-site and even from user-to-user, but my rough unscientific estimate is that about 90% of all SMTP traffic is abuse. What is the point in filtering through all that garbage, only to make your mail less safe and reliable than it would have been, if using the DNSBL properly? The choice is clear, to me. -- Offlist mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header
