On Sun, 22 Sep 2019 at 14:36, Paul van der Vlis <p...@vandervlis.nl> wrote:
>
> Hello,
>
> I would like some suggestions on how to get less spam, I will paste my
> configuration at the end of the mail.
>
> Maybe somebody with a nice setup could post his/her setup?
>
> As you can see, I am experimenting with reject_unknown_client_hostname.
> What's your opinion about that setting?
>
> I've never used greylisting. Are you using it?
I have been tweaking my settings for the last three years largely
based on advice from this list. I give below my (slightly simplified)
smtpd_recipient_restrictions settings for unauthenticated connections
(suggestions for improvement very welcome). I also apply some
header_checks and use spamassassin and clamav (via amavis) with some
bespoke rules.
I think it is inadvisable to use reject_unknown_client_hostname (risk
of fps) but I have found reject_unknown_reverse_client_hostname very
effective. I tried greylisting but gave it up - it isn't necessary and
the delays were very irritating to users (e.g. for password reset
emails).
smtpd_recipient_restrictions =
reject_unauth_pipelining
# localfile whitelists
check_sender_access hash:/etc/postfix/sender_access_whitelist
check_client_access hash:/etc/postfix/client_access_whitelist
check_client_access cidr:/etc/postfix/client_access_whitelist.cidr
check_helo_access hash:/etc/postfix/helo_access_whitelist
# localfile blacklists
check_sender_access hash:/etc/postfix/sender_access
check_client_access hash:/etc/postfix/client_access
check_helo_access hash:/etc/postfix/helo_access
check_sender_access pcre:/etc/postfix/sender_access.pcre
# reject clients without PTR
reject_unknown_reverse_client_hostname
# reject clients with dynamic ips
reject_rbl_client dul.dnsbl.sorbs.net=127.0.0.10
# rejections based on rbls for helo/sender/reverse_client
reject_rhsbl_helo dbl.spamhaus.org
reject_rhsbl_sender dbl.spamhaus.org
reject_rhsbl_reverse_client dbl.spamhaus.org
reject_rhsbl_sender fresh.fmb.la=127.2.0.[2;14]
# ip-based remote whitelists
permit_dnswl_client list.dnswl.org=127.0.[0..255].[1..3]
permit_dnswl_client white.uribl.com
permit_dnswl_client hostkarma.junkemailfilter.com=127.0.0.[1;3;5]
# ip-based remote blacklists
reject_rbl_client zen.spamhaus.org
reject_rbl_client dyna.spamrats.com
reject_rbl_client hostkarma.junkemailfilter.com=127.0.0.2
reject_rbl_client truncate.gbudb.net
reject_rbl_client dnsbl.cobion.com
reject_rbl_client bl.fmb.la=127.0.0.2
reject_rbl_client b.barracudacentral.org
