[prev in list] [next in list] [prev in thread] [next in thread] 

List:       postfix-users
Subject:    Re: Suggestions for less spam
From:       Matus UHLAR - fantomas <uhlar () fantomas ! sk>
Date:       2019-09-24 10:30:12
Message-ID: 20190924103012.GA31555 () fantomas ! sk
[Download RAW message or body]

On 24.09.19 12:11, Paul van der Vlis wrote:
>I am using now much of your setting and it seems to help. Thanks a lot!

I would just like to note that all those reject_rbl_client directives are
prone to errors when any of those blacklist fails.

That's why I suggestes to use postscreen, where you can define whitelists
and minimum score for listing. 
Postscreen in addition helps catching many bots not listed in blacklists.

>Op 22-09-19 om 17:59 schreef Dominic Raferd:
>> On Sun, 22 Sep 2019 at 14:36, Paul van der Vlis <paul@vandervlis.nl> wrote:
>>>
>>> Hello,
>>>
>>> I would like some suggestions on how to get less spam, I will paste my
>>> configuration at the end of the mail.
>>>
>>> Maybe somebody with a nice setup could post his/her setup?
>>>
>>> As you can see, I am experimenting with reject_unknown_client_hostname.
>>> What's your opinion about that setting?
>>>
>>> I've never used greylisting. Are you using it?
>>
>> I have been tweaking my settings for the last three years largely
>> based on advice from this list. I give below my (slightly simplified)
>> smtpd_recipient_restrictions settings for unauthenticated connections
>> (suggestions for improvement very welcome). I also apply some
>> header_checks and use spamassassin and clamav (via amavis) with some
>> bespoke rules.
>>
>> I think it is inadvisable to use reject_unknown_client_hostname (risk
>> of fps) but I have found reject_unknown_reverse_client_hostname very
>> effective. I tried greylisting but gave it up - it isn't necessary and
>> the delays were very irritating to users (e.g. for password reset
>> emails).
>>
>> smtpd_recipient_restrictions =
>>     reject_unauth_pipelining
>>
>>      # localfile whitelists
>>     check_sender_access hash:/etc/postfix/sender_access_whitelist
>>     check_client_access hash:/etc/postfix/client_access_whitelist
>>     check_client_access cidr:/etc/postfix/client_access_whitelist.cidr
>>     check_helo_access hash:/etc/postfix/helo_access_whitelist
>>
>>     # localfile blacklists
>>     check_sender_access hash:/etc/postfix/sender_access
>>     check_client_access hash:/etc/postfix/client_access
>>     check_helo_access hash:/etc/postfix/helo_access
>>     check_sender_access pcre:/etc/postfix/sender_access.pcre
>>
>>     # reject clients without PTR
>>     reject_unknown_reverse_client_hostname
>>
>>     # reject clients with dynamic ips
>>     reject_rbl_client dul.dnsbl.sorbs.net=127.0.0.10
>>
>>     # rejections based on rbls for helo/sender/reverse_client
>>     reject_rhsbl_helo dbl.spamhaus.org
>>     reject_rhsbl_sender dbl.spamhaus.org
>>     reject_rhsbl_reverse_client dbl.spamhaus.org
>>     reject_rhsbl_sender fresh.fmb.la=127.2.0.[2;14]
>>
>>     # ip-based remote whitelists
>>     permit_dnswl_client list.dnswl.org=127.0.[0..255].[1..3]
>>     permit_dnswl_client white.uribl.com
>>     permit_dnswl_client hostkarma.junkemailfilter.com=127.0.0.[1;3;5]
>>
>>     # ip-based remote blacklists
>>     reject_rbl_client zen.spamhaus.org
>>     reject_rbl_client dyna.spamrats.com
>>     reject_rbl_client hostkarma.junkemailfilter.com=127.0.0.2
>>     reject_rbl_client truncate.gbudb.net
>>     reject_rbl_client dnsbl.cobion.com
>>     reject_rbl_client bl.fmb.la=127.0.0.2
>>     reject_rbl_client b.barracudacentral.org
>>
>
>
>
>-- 
>Paul van der Vlis Linux systeembeheer Groningen
>https://www.vandervlis.nl/

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
- Have you got anything without Spam in it?
- Well, there's Spam egg sausage and Spam, that's not got much Spam in it.
[prev in list] [next in list] [prev in thread] [next in thread]