Re: Postscreen DNSBL Sites

Wed, 24 Apr 2013 14:24:13 -0700 

On Tue, Apr 23, 2013 at 12:41 PM, /dev/rob0 <r...@gmx.co.uk> wrote:

> With those restrictions, you could just as well raise the
> corresponding postscreen_dnsbl_sites scores to 3 for each. ISTM that
> you're missing the point of scoring.
>
> Yes, as I mentioned, Zen and (for most domains) BRBL listings are
> good enough for outright rejection, but I would not do that for
> Spamcop nor PSBL. Both of those are driven by automated processes
> which could result in "false positives".


Thanks - I see that now. My smtpd_recipient_restrictions now include these
as the final config options before "permit":

        reject_rbl_client b.barracudacentral.org,
        reject_rbl_client zen.spamhaus.org,
        reject_rhsbl_client dbl.spamhaus.org,
        reject_rhsbl_sender dbl.spamhaus.org,
        reject_rhsbl_helo dbl.spamhaus.org,

 And based on your excellent article on your site, I've updated my
Postscreen settings to:

# POSTSCREEN OPTIONS v20130423
postscreen_access_list = permit_mynetworks,
        cidr:/etc/postfix/postscreen_access.cidr,
        hash:/etc/postfix/postscreen_whitelist

postscreen_blacklist_action = drop
postscreen_dnsbl_action = enforce
postscreen_greet_action = enforce
postscreen_dnsbl_threshold = 3

postscreen_dnsbl_sites =
        zen.spamhaus.org*3,
        b.barracudacentral.org*2,
        bl.spameatingmonkey.net*2,
        dnsbl.ahbl.org*2,
        bl.spamcop.net,
        dnsbl.sorbs.net,
        psbl.surriel.com,
        bl.mailspike.net,
        swl.spamhaus.org*-4,
        list.dnswl.org=127.[0..255].[0..255].0*-2
        list.dnswl.org=127.[0..255].[0..255].1*-3
        list.dnswl.org=127.[0..255].[0..255].[2..255]*-4

I've got a few "older" (1994 - 1996) domains running on this server, which
some email addresses that I'm sure are in some of those "1MM email
addresses!" CD-ROMs from the 90s. So even though this is a "personal"
server, there's plenty of spammer action trying to get through. Doing a
tail -f on the maillog and watching Postscreen + the smtpd restrictions do
their work is always a satisfying feeling!

Thanks again, rob0, for your excellent examples and willingness to educate.
After monitoring these tweaks on my personal server for a bit, I'm going to
deploy these to our production mail servers.

SteveJ

Reply via email to