On Wed, 15 Aug 2018 at 09:32, Gary <li...@lazygranch.com> wrote: > ... > I'm guessing you will be using a VPS. I'm on Digital Ocean running Centos. > But I assume this is a function of what country you reside in. Some > sysadmins will assume if you are on a VPS, you are a spammed. ATT for > example. They will whitelist your IP, but you need to ask. > > I got a lot of grief when I disparaged OVH, but I swear they are bullet > proof hosting and I would avoid them. You really should go for SSD based > VPS if you go that route it all. In benchmarks, Linode is usually a bit > faster than Digital Ocean. > > On my current server, I skipped amavisd-new because sometimes it stalls > the mail queue. Nor do I run SpamAssassin. I'm happy just using RBLs. I'm > running opendkim, openspf, and opendmarc. > > Original Message > From: robac...@fastmail.us > > I'm starting the process of moving my mail from a hosted service to my > own. It'll include a Postfix server. > > I got a test server running locally and 'sending & receiving' mail inside > my lan. > > Now I'm doing my reading on security issues, authentication, and the like. > > I've got stacks of articles and notes. > > I'm looking for any advice from opinionated, experienced Postfix users. > > Couple of production questions: > > (1) > For opensource authentication milters (DKIM, DMARC, ARC), that works with > Postfix on Linux, there seem to be two main choices: > https://github.com/fastmail/authentication_milter > https://github.com/trusteddomainproject/ > What do folks here recommend to use? >
Regarding DKIM and DMARC I would stick with the standard opensource packages which are opendkim and opendmarc, they play well together and you should be able to install them from your distro packaging system. Then you don't need any SPF package - it's unwise IMO to block emails solely on SPF (because they may be relayed), and opendmarc v1.3.2+ has a reliable built-in spf checker. I use Amavis as content-filter and it works well although the consequent re-injection of emails makes log tracing more complicated. It normally calls SpamAssassin and ClamAV - the latter is pointless without the Sanesecurity addon signatures. Virus-laden emails that aren't stopped by other defences before they reach amavis/ClamAV are surprisingly rare. Amavis has its own quarantine-hold and quarantine-release system - it would be more elegant if it used postfix's hold queue. I have found Amavis setting '$child_timeout = 20;' helpful - sometimes the children (ClamAV especially) do go on a bit ;-) I use OVH for a mailserver and don't have problems with it, and they are the best value I know for VPS with static ipv4. Of course everyone is entitled to their own opinion.
