On 03.08.22 14:59, Matus UHLAR - fantomas wrote:
I have moved towards postscreen a long time ago.
postscreen supports multiple scored blocklists and/or allowlists,
block clients from configured score and with pregreet test helps with
blocking many bots and can even replace greylisting protection.
http://www.postfix.org/POSTSCREEN_README.html
I forgot to add that postscreen does NOT process e-mail sender nor
recipient, only senders IP address.
Thus, it's not effective about dbl.spamhaus that is used in rhsbl* checks.
However, it's great for replacing reject_rbl_client at SMTP level.
false positives at rhsbl level are to be fixed with local allow lists or
using permit_rhswl_client.
zen.spamhaus.org is quite safe to use and it's not to be replaced, but
improved by using dbl.spamhaus.org.
On 03.08.22 10:39, Linkcheck wrote:
I have recently begun getting blocks from dbl.spamhaus.org for
"valid" email. I thought a single instance was an aberration but in
all I've seen half a dozen emails blocked - a large number for my
small system.
The original setup was...
============
smtpd_helo_restrictions =
...
reject_rhsbl_helo dbl.spamhaus.org
smtpd_sender_restrictions =
...
reject_rhsbl_sender dbl.spamhaus.org
smtpd_recipient_restrictions =
...
reject_rbl_client zen.spamhaus.org
reject_rhsbl_client dbl.spamhaus.org
============
I have now disabled the dbl.spamhaus tests but left in place the
zen.spamhaus one.
The mail server is an old one, running almost untouched for several
years. The positioning of the spamhaus tests has not changed in some
time until now. I am setting up a new server with postfix,
spamassassin, dovecot etc but it has yet to receive any real mail.
I am concerned that adding spamhaus tests to postfix on the new
server may be detrimental even though, until now, I have seen no
adverse reaction.
Spamhaus has a page for setting up postfix and recommends...
============
smtpd_recipient_restrictions =
...
reject_rbl_client zen.spamhaus.org=127.0.0.[2..11]
reject_rhsbl_sender dbl.spamhaus.org=127.0.1.[2..99]
reject_rhsbl_helo dbl.spamhaus.org=127.0.1.[2..99]
reject_rhsbl_reverse_client dbl.spamhaus.org=127.0.1.[2..99]
warn_if_reject reject_rbl_client zen.spamhaus.org=127.255.255.[1..255]
============
Is this a realistic setup? Should there be more, fewer or
repositioned tests?
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
99 percent of lawyers give the rest a bad name.
