On Thu, Mar 17, 2011 at 10:59 AM, Victor Duchovni
<victor.ducho...@morganstanley.com> wrote:
> On Wed, Mar 16, 2011 at 11:46:47PM -0500, Noel Jones wrote:
>
>>> if I configure postscreen to use DNSBL, may I remove the lines
>>> for DNSBL checking on main.cf <http://main.cf> for postfix? I understand
>>> enabling that on both postscreen and postfix is doing the same thing
>>> twice... Am I wrong?
>>>
>>
>> DNSBL checks can be removed from postfix main.cf if you do the same checks
>> in postscreen. No need to do the same checks twice. RHSBL (domain name)
>> checks will still need to be done in main.cf.
>
> I would caution against removing DNSBL lookups in smtpd(8).
>
> - postscreen whitelists hosts for some time, the DNSBL can change
> in the mean-time.
>
> - For newly admitted hosts, the main cost of the lookup is bringing
> the data into the local DNS cache. A second lookup in smtpd(8)
> shortly after the initial lookup in postscreen is very efficient.
>
> Not all the hosts listed in Zen are botnet zombies, some of them are
> snow-shoe spam networks, which are likely to have been sending mail for
> some time before they are listed.
>
> If however, the postscreen whitelist TTL is not "too long", on the plus
> side, one avoids the RBL lookup latency when the RBL is remote, and the
> impact on RBL accuracy may be low. So for large sites with local mirrors
> of RBL zones, there is no advantage to skipping the lookups, but smaller
> sites *may* find that postscreen RBL lookups are enough, but some metrics
> may be useful to determine the impact of doing the lookups only on first
> contact, and then intermittently.
>
> --
> Viktor.
>
I implemented Postscreen today. I'm really enjoying watching my
maillog show how effectively it's working!
I'm glad we're discussing this, because I was also wondering whether
or not I should comment out the reject_rbl_client lines in my main.cf.
I have the following DNSBL/RHSBL entries in my main.cf:
smtpd_recipient_restrictions =
...
reject_rbl_client b.barracudacentral.org,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client psbl.surriel.com,
reject_rhsbl_client dbl.spamhaus.org,
reject_rhsbl_sender dbl.spamhaus.org,
reject_rhsbl_helo dbl.spamhaus.org,
...
I had commented them out initially, but I'm convinced by Viktor's
argument, and have uncommented the reject_rbl_client lines. I've also
left the reject_rhsbl_* lines intact based on my understanding that
Postscreen doesn't do those checks.
My Postscreen options in main.cf look like this:
postscreen_access_list = permit_mynetworks,
cidr:/etc/postfix/postscreen_access.cidr
postscreen_dnsbl_threshold = 2
postscreen_dnsbl_sites =
b.barracudacentral.org*2,
zen.spamhaus.org*2,
psbl.surriel.com*2
postscreen_dnsbl_action = enforce
postscreen_greet_action = enforce
Am I correct in assuming that giving each of my postscreen_dnsbl_sites
equal weighting at the threshold provides similar functionality as my
reject_rbl_client entries?
I'm also curious as to what types of postscreen_dnsbl_sites usages and
weights others are using with Postscreen, especially with the DNSBL
reply filters (postscreen_dnsbl_sites = example.com=127.0.0.4).
What are others using and what's working well for you?
SteveJ
