Hi Terry, I use amavisd-new/spamassassin in post-queue configuration with few adjustments: increased score for SPF_FAIL, DKIM_ADSP_DISCARD, Bayes_80, Bayes_95, Bayes_99, Bayes_999 and few others. Local DNS server - critical for RBL queries. As for postscreen, I preffer "postscreen_greet_action = enforce" only which doesn't require the client to retry (as opposite to greylist behavior), while is pretty effective against bots.
Marius. -----Original Message----- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Terry Barnum Sent: Tuesday, April 28, 2015 1:15 AM To: postfix users Subject: spam fighting We've been using postscreen and dspam for quite some time but in the past couple months more spam is making it through. I realize there's no one-size-fits-all approach but because dspam isn't actively developed anymore I've started looking around and am curious what others are using. Is amavisd-new/spamassassin the preferred solution? My company is small with <30 users. Perhaps my postscreen settings could be improved? postscreen_access.cidr is a small file with 4 entries to whitelist customers that aren't implicated in the increase in spam. $ postconf -n broken_sasl_auth_clients = yes command_directory = /opt/local/sbin daemon_directory = /opt/local/libexec/postfix data_directory = /opt/local/var/lib/postfix debugger_command = PATH=/opt/local/bin:/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 default_privs = nobody delay_warning_time = 4h dovecot_destination_recipient_limit = 1 dspam-lmtp_destination_recipient_limit = 1 home_mailbox = Maildir/ html_directory = no inet_protocols = ipv4 mail_owner = _postfix mailq_path = /opt/local/bin/mailq manpage_directory = /opt/local/share/man message_size_limit = 51200000 mydestination = $myhostname, localhost.$mydomain, localhost myhostname = mailbox.dop.com mynetworks = 192.168.0.0/23, 127.0.0.0/8 myorigin = $mydomain newaliases_path = /opt/local/bin/newaliases postscreen_access_list = permit_mynetworks, cidr:/opt/local/etc/postfix/postscreen_access.cidr postscreen_bare_newline_action = enforce postscreen_bare_newline_enable = yes postscreen_blacklist_action = drop postscreen_dnsbl_action = enforce postscreen_dnsbl_sites = b.barracudacentral.org=127.0.0.2*7 dnsbl.inps.de=127.0.0.2*7 bl.mailspike.net=127.0.0.2*5 bl.mailspike.net=127.0.0.[10;11;12]*4 dnsbl.sorbs.net=127.0.0.10*8 dnsbl.sorbs.net=127.0.0.5*6 dnsbl.sorbs.net=127.0.0.7*3 dnsbl.sorbs.net=127.0.0.8*2 dnsbl.sorbs.net=127.0.0.6*2 dnsbl.sorbs.net=127.0.0.9*2 zen.spamhaus.org=127.0.0.[10;11]*8 zen.spamhaus.org=127.0.0.[4..7]*6 zen.spamhaus.org=127.0.0.3*4 zen.spamhaus.org=127.0.0.2*3 hostkarma.junkemailfilter.com=127.0.0.2*3 hostkarma.junkemailfilter.com=127.0.0.4*1 hostkarma.junkemailfilter.com=127.0.1.2*1 wl.mailspike.net=127.0.0.[18;19;20]*-2 list.dnswl.org=127.0.[0..255].0*-2 list.dnswl.org=127.0.[0..255].1*-3 list.dnswl.org=127.0.[0..255].2*-4 list.dnswl.org=127.0.[0..255].3*-5 hostkarma.junkemailfilter.com=127.0.0.1*-2 postscreen_dnsbl_threshold = 3 postscreen_dnsbl_ttl = 5m postscreen_greet_action = enforce postscreen_non_smtp_command_enable = yes postscreen_pipelining_action = enforce postscreen_pipelining_enable = yes proxy_interfaces = 70.167.15.110 queue_directory = /opt/local/var/spool/postfix readme_directory = /opt/local/share/postfix/readme sample_directory = /opt/local/share/postfix/sample sendmail_path = /opt/local/sbin/sendmail setgid_group = _postdrop smtpd_banner = $myhostname ESMTP $mail_name smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, reject_unauth_destination, reject_unlisted_recipient, check_recipient_access pcre:/opt/local/etc/postfix/recipient_checks.pcre, check_helo_access hash:/opt/local/etc/postfix/helo_checks, check_sender_access hash:/opt/local/etc/postfix/sender_checks, check_client_access hash:/opt/local/etc/postfix/client_checks, check_client_access pcre:/opt/local/etc/postfix/fqrdns.pcre, reject_rhsbl_client dbl.spamhaus.org, reject_rhsbl_sender dbl.spamhaus.org, reject_rhsbl_helo dbl.spamhaus.org, check_client_access pcre:/opt/local/etc/postfix/dspam_filter_access smtpd_reject_unlisted_sender = yes smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $myhostname smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_sender_restrictions = permit_mynetworks, reject_unknown_address smtpd_tls_auth_only = yes smtpd_tls_cert_file = /opt/local/etc/postfix/ssl/certs/postfix.cert smtpd_tls_key_file = /opt/local/etc/postfix/ssl/private/postfix.key smtpd_tls_loglevel = 1 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:/opt/local/var/lib/postfix/smtpd_tls_cache smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom transport_maps = hash:/opt/local/etc/postfix/transport unknown_local_recipient_reject_code = 550 vacation_destination_recipient_limit = 1 virtual_alias_maps = proxy:mysql:/opt/local/etc/postfix/mysql_virtual_alias_maps.cf virtual_gid_maps = static:_vmail virtual_mailbox_base = /Volumes/mail/vmail/ virtual_mailbox_domains = proxy:mysql:/opt/local/etc/postfix/mysql_virtual_mailbox_domains.cf virtual_mailbox_maps = proxy:mysql:/opt/local/etc/postfix/mysql_virtual_mailbox_maps.cf virtual_minimum_uid = _vmail virtual_transport = dovecot virtual_uid_maps = static:_vmail Thanks, -Terry Terry Barnum digital OutPost http://www.dop.com
