Hi, > reject_unknown_client_hostname : >> Is it common practice to have that restriction in a production >> environment?
[...] > Note, from the documentation suggested for you, that there are > different conditions which trigger reject_unknown_client_hostname. > Mine was lack of PTR, which also triggers the less aggressive > reject_unknown_reverse_client_hostname restriction. This is fairly > common, and IMO, a pretty likely spam sign. Given my experience, I > think it is time to use reject_unknown_reverse_client_hostname. At > least you know you're not alone in enforcing that policy. In this thread from just last June, the consensus was that it still rejected too much mail: http://www.mail-archive.com/postfix-users@postfix.org/msg12683.html It was only from a few users, but wonder what their experience is almost a year later. In any case, I can't even test it, because apparently my postfix doesn't even understand "warn_if_reject". It silently ignored it, and silently stopped accepting mail until I realized there were two hundred messages in the queue after five minutes on a Sunday :-) Most of it was spam anyway :-) > Most spam is going to come from malware-infected Windows machines or > other compromised hosts being used as a zombie. There are many useful > strategies in dealing with those, including Spamhaus Zen and > reject_non_fqdn_helo_hostname. reject_unknown_reverse_client_hostname > is also very effective, as I think some ISPs might deliberately not > provide reverse DNS for their dynamic ranges. > > Most of the rest of it is going to come from large "snowshoe" ranges. > These networks will typically have perfect FCrDNS for every IP > address. ....and you're saying the reject_unknown_reverse_client_hostname wouldn't help here, if I understand correctly? >> reject_maps_rbl, > > Old syntax, could be good or could be disastrous. Switch to the "new" > syntax (new since Postfix 2.0 IIRC) of "reject_rbl_client zone.name". Do you have any (postfix v2) restrictions that we haven't yet seen here that would be worth sharing for this topic? > At this point I'm only using zen.spamhaus.org, but I might be adding > spameatingmonkey. Most important advice regarding DNSBLs is to be I'm also using just those, and also considering bb.barracudanetworks.org to reject at SMTP time. How do you think it compares? > familiar with their policies and aware of their status. Given the > dominance of ancient syntax in your restrictions, I wouldn't be > surprised to see some dead lists among your maps_rbl_domains. :) I'm somewhat familiar with those, but do you know of a location that describes the policies of the top five URI and DNS blocklists in one place? That would sure be useful. Thanks again for helping me to understand. Certainly upgrading is a top priority. Best regards, Alex
