On Wed, May 27, 2020, 8:49 PM Ian Evans, <dheianev...@gmail.com> wrote:
> On Wed, May 27, 2020, 11:44 AM @lbutlr, <krem...@kreme.com> wrote:
>
>> On 24 May 2020, at 19:04, Ian Evans <dheianev...@gmail.com> wrote:
>> > Based on another thread here, I want to move to using
>> postscreen/postwhite and ditch postgrey.
>> >
>> > Just want to make sure I don't bungle stopping postgrey.
>> >
>> > So...
>> >
>> > - edit main.cf and remove "check_policy_service inet:127.0.0.1:10023"
>> from smtpd_recipient_restrictions.
>>
>> Comment it out.
>>
>> And don't forget to comment out the corresponding section in master.cf
>>
>> > - restart Postfix
>>
>> That will do it.
>>
>> > - purge the postgrey package.
>>
>> Eventually. Don't need to rush.
>>
>> > Then go about getting postscreen working.
>>
>> As other have said, I'd do that first. But it's really just a few lines.
>>
>> These are my settings, -ish.
>>
>> postscreen_access_list = cidr:$config_directory/postscreen_access.cidr
>>
>> # Maybe start with warn if you're worried
>> postscreen_blacklist_action = drop
>> postscreen_dnsbl_action = enforce
>> postscreen_dnsbl_sites = <list of RBLs and maybe DNSWL.org whitelists>
>> postscreen_dnsbl_threshold = 3
>> postscreen_dnsbl_ttl = 1d
>> postscreen_dnsbl_whitelist_threshold = -1
>> postscreen_greet_action = enforce
>> postscreen_greet_banner = mail.covisp.net ESTMP -- Please wait
>> postscreen_greet_wait = 11s
>>
>> I've settled on 11s, but you should probably not set
>> postscreen_greet_wait unless you need to as the default is there for a
>> reason. I found for my server 11s cut off a lot more mail, and I haven’t
>> noticed missing anything I want.
>>
>> Default:
>> postscreen_greet_wait = ${stress?{2}:{6}}s
>>
>> The most complicated part is setting up and scoring the rbls, though
>> searching the list archives for 'postscreen_dnsbl_sites' will find you some
>> settings other people use and you can start from there. Be sure and check
>> the specific RBLS to be sure that they allow open access and that they
>> still exist. Zen is very popular an in my opinion the best one out there,
>> but you need to pay for commercial access.
>>
>
> Thanks for the further suggestions.
>
Just wanted to hop back to this thread and thank everyone for the pointers
on Postscreen and removal of Postgrey.
It's so effective and I no longer have to deal with some legitimate senders
being delayed for minutes or sometimes hours.
And yes, I will admit a couple of times I tail -f'd the mail.log to watch
Postscreen work its magic.
Thanks again to Wietse and everyone involved in the Postfix community.
>
