On 10/1/2024 6:30 μ.μ., Bill Cole via Postfix-users wrote:
You should be more selective about your long lists of DNSBLs. They are
not all the same thing, and so are not all suitable for use at
postscreen time. It seems like you are ignoring the fact that the
underlying cause of this rejection is your decision to trust the
Spamcop 'bl' list as an absolute blocker, which for most people who
value their email is not a good idea. If you want to consistently
receive mail from the giant mailbox providers, you need to use more
nuanced mechanisms.
...
Using reject_rbl_client with DNSBLs which occasionally list IPs which
send a mix of spam and ham can be made feasible by putting the
reject_rbl_client restriction late in the restriction list and having
exemption mechanisms ahead of it. For example, I use reject_rbl_client
extensively, but with check_*_access maps ahead of those directives.
If you like everything about the Spamcop DNSBL except for it listing
Microsoft outbounds, you could have a check_client_access directive
with a map that permits *.outbound.protection.outlook.com clients
before any DNSBL checks (in the same restriction list.)
Thank you Bill, and all others for your feedback.
Unfortunately at this time I don't have the luxury to invest time in
more complex configuration scenarios as mail server management is only a
small fraction of our tiny department... I guess I have to trust
Postscreen and avoid false positives in smtpd restrictions as Matus
advised.
To optimize behavior I would need to constantly monitor BL trust status
and experiment with configuration changes (supported/offered abundantly
by postfix) which is not feasible in my case I am afraid. I have to be
modest in my aspirations.
However, I do admit that all suggestions do have their place if used
knowledgeably in the right context.
If there are any complete and working configuration suggestions I could
probably try them, but it would be very difficult to work on preparing a
new one starting from our current config.
If anyone would like to provide or point to any publicly available
*complete* config suggestion(s) for testing in our production
environment, please let me know.
{Note: Our gateway servers are working with postfix - amavis (with
spamassassin, clamav) on Rocky Linux 8.}
All the best,
Nick
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
