28. Jan 2015 19:19 by li...@rhsoft.net:
honestly with postscreen *without deep protocol tests) and rbl-scoring (DSNBL
as well as DNSWL) there is no point for greylisting at all
>
> postscreen_dnsbl_ttl = 5m
> postscreen_dnsbl_threshold = 8
> postscreen_dnsbl_action = enforce
> postscreen_greet_action = enforce
> postscreen_dnsbl_sites =
> > http://b.barracudacentral.org=127.0.0.2*7
>
That is a good idea approach! I did not know that so far.
> if you additionally configure a honeypot-backup-MX always responding with
> 450 if not already blacklisted around 50% of all bots will try the backup
> MX and never come back to the primary and they ones coming back are waiting
> some minutes by assuming greylisting and in the meantime many are on RBL's
> which where not at the first contact
>
> postscreen_whitelist_interfaces = !<ip-of-backup-mx>, static:all
>
Yes this I did to the 2nd MX IP I have
>> But I do not see how to apply Postscreen maps for deep protocol tests
>> only for some domains & countries. Does it do this?
>
> it can't by design, if it would have such capapbilities it would no longer
> be a lightweight daemon in front of spmtpd
>
I think then the fear I am having for too much loss for some greylisting
means that I will not use the greylisting in Postscreen. So turning off the
deep protocol testing.
> postscreen kills 90% of all junk long before it connects to a expensive
> smtpd at all, independent of contentfilters that's much more value then
> pass every connection to limited smtpd and to harm with misconcepts like
> greylisting
I think that is the same idea that Wietse said to me.
Okay, some good ideas!
*S*
