I'm trying to come up with a set of suggested Postscreen main.cf settings that can be a suggested "general" starting place for most personal and small business users. Below is what I'm currently running on my personal box, and I would appreciate any "sanity check" feedback from the list.
I only enabled the deep protocol tests (and the postscreen_dnsbl_whitelist_threshold setting) a few days ago, but I'm already seeing many entries in my mail log for "HANGUP after X.X ... in tests after SMTP handshake," as well as a bunch of NON-SMTP COMMAND entries all from the same IP in Brazil (177.11.51.74) trying to submit from gibberish email address and many COMMAND PIPELINING and NON-SMTP COMMAND entries from an IP in China (222.141.118.15). Also, "gmail_whitelist.cidr" below in my postscreen_access_list is the output of MIke Miller's gwhistelist.sh script ( https://gist.github.com/stevejenkins/868ccede57042d940830) Here are my Postscreen-related settings in main.cf: # Postscreen Options postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/postscreen_access.cidr, cidr:/etc/postfix/gmail_whitelist.cidr, hash:/etc/postfix/postscreen_whitelist postscreen_blacklist_action = drop postscreen_greet_action = enforce postscreen_dnsbl_action = enforce postscreen_dnsbl_threshold = 3 postscreen_dnsbl_whitelist_threshold = -1 postscreen_dnsbl_sites = zen.spamhaus.org*3 bl.mailspike.net*2 b.barracudacentral.org*2 bl.spameatingmonkey.net bl.spamcop.net dnsbl.sorbs.net psbl.surriel.com swl.spamhaus.org*-4 list.dnswl.org=127.[0..255].[0..255].0*-2 list.dnswl.org=127.[0..255].[0..255].1*-3 list.dnswl.org=127.[0..255].[0..255].[2..255]*-4 wl.mailspike.net=127.0.0.[17;18]*-1 wl.mailspike.net=127.0.0.[19;20]*-2 # Postscreen Deep Protocol Tests postscreen_pipelining_enable = yes postscreen_pipelining_action = enforce postscreen_non_smtp_command_enable = yes postscreen_non_smtp_command_action = drop postscreen_bare_newline_enable = yes postscreen_bare_newline_action = ignore Feedback appreciated. Thanks in advance. SteveJ
