On 6 Jun 2016, at 13:39, Yuval Levy wrote:
Thanks for the help, Bill.
On 16-06-06 10:24 AM, Bill Cole wrote:
NOTE THAT 454 REPLY!
could it be because I have soft_bounce = yes while trying to
understand
the outcome of my rules without losing incoming emails?
Yes, I believe that would do it. I had somehow forgotten that
soft_bounce existed...
[...]
modified package of Postfix
plain vanilla Ubuntu repository.
So, the Debian variant I'd guess... I don't know how far from the
canonical distribution that is now, but at one point it included both
default config and source differences that made it behave differently
from Postfix built from the unmodified source distribution.
1. Stop inviting spammers to come back later when their DNSBL listing
has expired. Fix whatever is causing you to send a 454 reply instead
of
the default 554 for Zen listings.
Assuming it is soft_bounce = yes, is there a way to override it for
Zen
listings?
None that I am aware of. My understanding of it that it is intentionally
global and absolute when set to 'yes' although there are also some
less-global *_soft_bounce switches that only apply to particular subsets
of would-be hard failures.
Or any other way to be more fine grained about soft bouncing?
A rbl_reply_maps table can be used to give each DNSBL its own reply,
including the reply code. I do not think that will override soft_bounce.
2. Stop accepting mail AT ALL from IPs that have no PTR records by
adding reject_unknown_reverse_client_hostname to
smtpd_recipient_restrictions AFTER permit_mynetworks and
permit_sasl_authenticated. reject_unknown_reverse_client_hostname is
extremely safe, requires no additional DNS lookups, and stops a
substantial amount of spam.
Added, thanks.
Postconf -n is attached. I am sure that there is a lot to criticize /
improve. This personal, low-usage Postfix instance has served me well
for ages. Last time I changed configuration was to add greylisting
with
Postgray, seven years ago. I was forced to make changes recently
because my wife's university made the (in my view bad) decision to
switch to outlook.office365.com which does not play nicely with
greylisting. So I am trying to learn about current spam protection to
keep this personal server going. Any hint/help is much appreciated.
Just one broad bit of advice: use postscreen.
I assume you don't have it set up, since I see no postscreen_* config in
that output and postscreen is mostly useless and harmless with its
default settings. Also, it didn't exist 7 years ago.
The best thing postscreen does for me is drop the "fast-talker" spambots
that don't wait for a complete greeting banner before sending commands.
It also offers a more nuanced approach to DNSBL setup, summing up
locally-chosen scores for each list and judging the result against a
threshold instead of letting each list make an absolute yes/no decision.
See the recent thread "RBLs in postscreen AND smtpd_*_restrictions" for
discussion of how this can work along with the traditional mechanism.
