On Apr 28, 2015, at 1:04 PM, Terry Barnum <te...@dop.com> wrote: >> >> On Apr 28, 2015, at 1:47 AM, Marius Gologan <marius.golo...@gmail.com> wrote: >> >> Hi Terry, >> >> I use amavisd-new/spamassassin in post-queue configuration with few >> adjustments: increased score for SPF_FAIL, DKIM_ADSP_DISCARD, Bayes_80, >> Bayes_95, Bayes_99, Bayes_999 and few others. >> Local DNS server - critical for RBL queries. >> As for postscreen, I preffer "postscreen_greet_action = enforce" only which >> doesn't require the client to retry (as opposite to greylist behavior), >> while is pretty effective against bots. >> >> Marius. > > Thank you for the reply Marius. Do the RBL queries from > amavisd-new/spamassassin require a local DNS because they're more resource > intensive than postscreen_dnsbl_sites or reject_rhsbl_* queries?
Regarding DNS lookups, depending on your mail volume, between postscreen, spamassassin and whatever else you’re running, you can generate quite a few queries on every connection attempt. Depending on your overall architecture, having a dedicated recursor instance (or two or three) can really help. You don’t want a large influx of email to have an impact on other consumers of DNS lookups. I really like PowerDNS (recursor), as it’s quite efficient - at one point I had it running on an ancient dual P-III box and peaked at 10K queries/second, which was about double what I could achieve on the same hardware with dnscache (djbdns). BIND is probably not at all appropriate for this (but may be perfect for other internal use where you need more features). Charles > > I've received 16 UCE emails in the last hour--weight loss, wrinkle creams, > bird feeders, pharmacies. More pointers (favorite postfix techniques and/or > add-ons, sites to read, etc.) from those who've been successful in reducing > spam load are greatly appreciated. > > Thanks, > -Terry > >> -----Original Message----- >> From: owner-postfix-us...@postfix.org >> [mailto:owner-postfix-us...@postfix.org] On Behalf Of Terry Barnum >> Sent: Tuesday, April 28, 2015 1:15 AM >> To: postfix users >> Subject: spam fighting >> >> We've been using postscreen and dspam for quite some time but in the past >> couple months more spam is making it through. I realize there's no >> one-size-fits-all approach but because dspam isn't actively developed >> anymore I've started looking around and am curious what others are using. Is >> amavisd-new/spamassassin the preferred solution? My company is small with >> <30 users. >> >> Perhaps my postscreen settings could be improved? postscreen_access.cidr is >> a small file with 4 entries to whitelist customers that aren't implicated in >> the increase in spam. >> >> $ postconf -n >> broken_sasl_auth_clients = yes >> command_directory = /opt/local/sbin >> daemon_directory = /opt/local/libexec/postfix >> data_directory = /opt/local/var/lib/postfix >> debugger_command = >> PATH=/opt/local/bin:/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd >> $daemon_directory/$process_name $process_id & sleep 5 >> default_privs = nobody >> delay_warning_time = 4h >> dovecot_destination_recipient_limit = 1 >> dspam-lmtp_destination_recipient_limit = 1 >> home_mailbox = Maildir/ >> html_directory = no >> inet_protocols = ipv4 >> mail_owner = _postfix >> mailq_path = /opt/local/bin/mailq >> manpage_directory = /opt/local/share/man >> message_size_limit = 51200000 >> mydestination = $myhostname, localhost.$mydomain, localhost >> myhostname = mailbox.dop.com >> mynetworks = 192.168.0.0/23, 127.0.0.0/8 >> myorigin = $mydomain >> newaliases_path = /opt/local/bin/newaliases >> postscreen_access_list = permit_mynetworks, >> cidr:/opt/local/etc/postfix/postscreen_access.cidr >> postscreen_bare_newline_action = enforce >> postscreen_bare_newline_enable = yes >> postscreen_blacklist_action = drop >> postscreen_dnsbl_action = enforce >> postscreen_dnsbl_sites = >> b.barracudacentral.org=127.0.0.2*7 >> dnsbl.inps.de=127.0.0.2*7 >> bl.mailspike.net=127.0.0.2*5 >> bl.mailspike.net=127.0.0.[10;11;12]*4 >> dnsbl.sorbs.net=127.0.0.10*8 >> dnsbl.sorbs.net=127.0.0.5*6 >> dnsbl.sorbs.net=127.0.0.7*3 >> dnsbl.sorbs.net=127.0.0.8*2 >> dnsbl.sorbs.net=127.0.0.6*2 >> dnsbl.sorbs.net=127.0.0.9*2 >> zen.spamhaus.org=127.0.0.[10;11]*8 >> zen.spamhaus.org=127.0.0.[4..7]*6 >> zen.spamhaus.org=127.0.0.3*4 >> zen.spamhaus.org=127.0.0.2*3 >> hostkarma.junkemailfilter.com=127.0.0.2*3 >> hostkarma.junkemailfilter.com=127.0.0.4*1 >> hostkarma.junkemailfilter.com=127.0.1.2*1 >> wl.mailspike.net=127.0.0.[18;19;20]*-2 >> list.dnswl.org=127.0.[0..255].0*-2 >> list.dnswl.org=127.0.[0..255].1*-3 >> list.dnswl.org=127.0.[0..255].2*-4 >> list.dnswl.org=127.0.[0..255].3*-5 >> hostkarma.junkemailfilter.com=127.0.0.1*-2 >> postscreen_dnsbl_threshold = 3 >> postscreen_dnsbl_ttl = 5m >> postscreen_greet_action = enforce >> postscreen_non_smtp_command_enable = yes >> postscreen_pipelining_action = enforce >> postscreen_pipelining_enable = yes >> proxy_interfaces = 70.167.15.110 >> queue_directory = /opt/local/var/spool/postfix >> readme_directory = /opt/local/share/postfix/readme >> sample_directory = /opt/local/share/postfix/sample >> sendmail_path = /opt/local/sbin/sendmail >> setgid_group = _postdrop >> smtpd_banner = $myhostname ESMTP $mail_name >> smtpd_helo_required = yes >> smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, >> reject_non_fqdn_helo_hostname >> smtpd_recipient_restrictions = >> permit_mynetworks, >> permit_sasl_authenticated, >> reject_non_fqdn_sender, >> reject_non_fqdn_recipient, >> reject_unknown_sender_domain, >> reject_unknown_recipient_domain, >> reject_unauth_pipelining, >> reject_unauth_destination, >> reject_unlisted_recipient, >> check_recipient_access pcre:/opt/local/etc/postfix/recipient_checks.pcre, >> check_helo_access hash:/opt/local/etc/postfix/helo_checks, >> check_sender_access hash:/opt/local/etc/postfix/sender_checks, >> check_client_access hash:/opt/local/etc/postfix/client_checks, >> check_client_access pcre:/opt/local/etc/postfix/fqrdns.pcre, >> reject_rhsbl_client dbl.spamhaus.org, >> reject_rhsbl_sender dbl.spamhaus.org, >> reject_rhsbl_helo dbl.spamhaus.org, >> check_client_access pcre:/opt/local/etc/postfix/dspam_filter_access >> smtpd_reject_unlisted_sender = yes >> smtpd_sasl_auth_enable = yes >> smtpd_sasl_local_domain = $myhostname >> smtpd_sasl_path = private/auth >> smtpd_sasl_security_options = noanonymous >> smtpd_sasl_type = dovecot >> smtpd_sender_restrictions = permit_mynetworks, reject_unknown_address >> smtpd_tls_auth_only = yes >> smtpd_tls_cert_file = /opt/local/etc/postfix/ssl/certs/postfix.cert >> smtpd_tls_key_file = /opt/local/etc/postfix/ssl/private/postfix.key >> smtpd_tls_loglevel = 1 >> smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 >> smtpd_tls_security_level = may >> smtpd_tls_session_cache_database = >> btree:/opt/local/var/lib/postfix/smtpd_tls_cache >> smtpd_tls_session_cache_timeout = 3600s >> tls_random_source = dev:/dev/urandom >> transport_maps = hash:/opt/local/etc/postfix/transport >> unknown_local_recipient_reject_code = 550 >> vacation_destination_recipient_limit = 1 >> virtual_alias_maps = >> proxy:mysql:/opt/local/etc/postfix/mysql_virtual_alias_maps.cf >> virtual_gid_maps = static:_vmail >> virtual_mailbox_base = /Volumes/mail/vmail/ >> virtual_mailbox_domains = >> proxy:mysql:/opt/local/etc/postfix/mysql_virtual_mailbox_domains.cf >> virtual_mailbox_maps = >> proxy:mysql:/opt/local/etc/postfix/mysql_virtual_mailbox_maps.cf >> virtual_minimum_uid = _vmail >> virtual_transport = dovecot >> virtual_uid_maps = static:_vmail >> >> Thanks, >> -Terry >> >> Terry Barnum >> digital OutPost >> http://www.dop.com >> >> >> > > Terry Barnum > digital OutPost > http://www.dop.com
