Re: postscreen questions

Thu, 27 May 2010 12:19:12 -0700 

Andy Dills wrote:
I've been investigating postscreen, as we've been address probed/bombed for years, as we have a few domains that are very old (well, early 90s) that had a lot of users back in the dialup days. Our approach was to just throw hardware at the problem, and we've had a whole cluster of servers just sending out 550s all day long for years now. 


We don't do any RBL checks at the postfix level; we have amavisd-new 
handle all of that via spamassassin. I'm hesitant to allow a single 
blacklist to determine the fate of mail acceptance, especially when we 
have a very low false negative rate with amavisd/SA. Essentially, we'd 
rather throw hardware at the problem than potentially reject legit mail.



My primary question is, would we see significant improvement by using 
postscreen if we don't use RBLs?


Also, would postscreen_cache_map work with a mysql backend?

Thanks,
Andy

---
Andy Dills
Xecunet, Inc.
www.xecu.net
301-682-9972
---

  

Using things like amavisd and spamassasin besides being very costly in 
terms of performance, is far more vulnerable to security exploits than 
rejecting as many connections as possible at an earlier time.  I have 
used the various checks for valid domain names, helo names, etc, in 
conjunction with the RBL's to minimize scanning with spamassasin.   I 
use restriction classes to define more and less conservative policys for 
different domains and even specific users when necessary.


smtpd_restriction_classes = restrictive, permissive

restrictive =
       reject_rbl_client zen.spamhaus.org
       reject_rbl_client dul.dnsbl.sorbs.net
       reject_rbl_client bl.spamcop.net

permissive =
       reject_rbl_client pbl.spamhaus.org
       reject_rbl_client dul.dnsbl.sorbs.net


      check_recipient_access hash:/etc/postfix/smtpd_recipient_access

smtpd_recipient_access contains:
mydomain.com                 restrictive
# I get the abuse mail and don't want to see alot of spam
ab...@otherdomain.com       restrictive
otherdomain.org              permissive
127.0.0.1                       OK



The permissive class is very conservative and should cause practically 
no false positives.  Even my restrictive class includes rbls known to 
have extremely low false positive rates.  Spamhaus is known to be one of 
the most accurate rbl's with an excellent hit rate and low false 
positives.  If you have a large site, check their web pages, since they 
do charge for high volume query rates and will block your access if you 
exceed the free limit.


Nataraj


























					Reply via email to