Am 28.01.2015 um 20:08 schrieb srach:
28. Jan 2015 18:43 by li...@rhsoft.net <mailto:li...@rhsoft.net>:
besides that greylisting is harmful in case of large sending
clusters not returning with the same IP while re-try a deferred
message postscreen can do this more or less as side effect with deep
protool tests
Yes I see that opportunity in Postscreen.
I do understand the warning for the large clusters. Then I have to be
careful for choosing domains I know. For some I care , but for some I
do not.
honestly with postscreen *without deep protocol tests) and rbl-scoring
(DSNBL as well as DNSWL) there is no point for greylisting at all
postscreen_dnsbl_ttl = 5m
postscreen_dnsbl_threshold = 8
postscreen_dnsbl_action = enforce
postscreen_greet_action = enforce
postscreen_dnsbl_sites =
b.barracudacentral.org=127.0.0.2*7
dnsbl.inps.de=127.0.0.2*7
bl.mailspike.net=127.0.0.2*5
bl.mailspike.net=127.0.0.[10;11;12]*4
dnsbl.sorbs.net=127.0.0.10*8
dnsbl.sorbs.net=127.0.0.5*6
dnsbl.sorbs.net=127.0.0.7*3
dnsbl.sorbs.net=127.0.0.8*2
dnsbl.sorbs.net=127.0.0.6*2
dnsbl.sorbs.net=127.0.0.9*2
zen.spamhaus.org=127.0.0.[10;11]*8
zen.spamhaus.org=127.0.0.[4..7]*6
zen.spamhaus.org=127.0.0.3*4
zen.spamhaus.org=127.0.0.2*3
hostkarma.junkemailfilter.com=127.0.0.2*3
hostkarma.junkemailfilter.com=127.0.0.4*1
hostkarma.junkemailfilter.com=127.0.1.2*1
wl.mailspike.net=127.0.0.[18;19;20]*-2
list.dnswl.org=127.0.[0..255].0*-2
list.dnswl.org=127.0.[0..255].1*-3
list.dnswl.org=127.0.[0..255].2*-4
list.dnswl.org=127.0.[0..255].3*-5
hostkarma.junkemailfilter.com=127.0.0.1*-2
_____________________________________
if you additionally configure a honeypot-backup-MX always responding
with 450 if not already blacklisted around 50% of all bots will try the
backup MX and never come back to the primary and they ones coming back
are waiting some minutes by assuming greylisting and in the meantime
many are on RBL's which where not at the first contact
postscreen_whitelist_interfaces = !<ip-of-backup-mx>, static:all
But I do not see how to apply Postscreen maps for deep protocol tests
only for some domains & countries. Does it do this?
it can't by design, if it would have such capapbilities it would no
longer be a lightweight daemon in front of spmtpd
And if there will be more checking with the Spamassassin and Clamav too
I think there is good value in all in one policy integration instead of
some in Postscreen too. I think that is making some sense?
that makes *zero* sense
postscreen kills 90% of all junk long before it connects to a expensive
smtpd at all, independent of contentfilters that's much more value then
pass every connection to limited smtpd and to harm with misconcepts like
greylisting
