On Wed, Mar 21, 2012 at 04:07:43PM -0700, Mark S wrote:
> smtpd_client_restrictions = reject_rhsbl_client
> dbl.spamhaus.org, reject_rhsbl_sender dbl.spamhaus.org,
> reject_rhsbl_helo dbl.spamhaus.org
This works fine as you have done it, but it might be easier at this
point to keep all restrictions under smtpd_recipient_restrictions.
Use multiple restriction stages if you need them, such as for
conditional whitelisting, but at this point you do not need that.
An example would be from my previous post, where I mentioned the
Hotmail NXDOMAIN PTR lookups; reject_unknown_reverse_client_hostname
could cause problems. A solution would be to move that out of
recipient and into client restrictions, preceded by a whitelist of
Hotmail/MSN clients:
smtpd_client_restrictions = permit_mynetworks,
check_client_access cidr:/etc/postfix/client_whitelist,
reject_unknown_reverse_client_hostname
Where /etc/postfix/client_whitelist lists the IP ranges of
Hotmail/MSN clients with a "permit" or "OK" result.
> smtpd_recipient_restrictions = permit_mynetworks,
> reject_unauth_destination, reject_unknown_sender_domain,
> reject_unknown_reverse_client_hostname, reject_rbl_client
> zen.spamhaus.org, check_policy_service inet:127.0.0.1:10023
There are a couple other things I didn't mention before. First,
reject_non_fqdn_helo_hostname. Before starting with postscreen, that
alone took out ~25% of all my smtpd connections, spam zombies each
one. That should go after reject_unauth_destination. No real MTA
should ever be using a non-FQDN as HELO name. Similarly, but not
anywhere near as effective, reject_invalid_helo_hostname. I have not
known a false positive (in terms of desired mail being blocked) from
either of those in many years of use.
Regarding Steve's comment about greylisting, it is still surely
better than no spam protection at all. When I disabled greylisting
some years back, I saw no measurable change in spam getting through
to mailboxes.
Everyone's spam stream is different, so it could be that some sites
get important benefits from greylisting. Mine does not.
I do, however, use the postscreen after-220 tests now, which is
similar in effect to greylisting, without the enforced delay period
(whitelisted clients can try again immediately and be accepted.)
--
http://rob0.nodns4.us/ -- system administration and consulting
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
