On 026-03-10 at 13:45:01 UTC-0400 (Tue, 10 Mar 2026 18:45:01 +0100)
Danjel Jungersen via Postfix-users <[email protected]>
is rumored to have said:
Postscreen....
I will have to do some reading, any suggestion? Both regarding places
to learn
Use it. Read the official documentation. There's a README on Postscreen
and a man page, plus definitions of relevant settings in the postconf(5)
man page.
DO NOT try to find random unofficial how-tos for Postfix on the web.
Many exist, many are correct, but many are also obsolete and/or simply
wrong. These days, much of the most dangerously wrong technical
"documentation" is actually generated by LLMs making ridiculous errors
that seem plausible.
and working setups.
I wish to reduce spam, but my major concern is (close to) zero false
positives...
Enable the before-greeting tests, avoid the after-greeting tests unless
you understand that they create a de facto greylisting system and are
willing to tolerate the resulting delays.
Use DNSBLs in postscreen that focus on bots, NOT mixed legit sources.
My non-default postscreen settings:
postscreen_denylist_action = drop
postscreen_disable_vrfy_command = yes
postscreen_greet_action = drop
postscreen_greet_wait = ${stress?{2}:{6}}s
postscreen_whitelist_interfaces = !127.0.0.2,static:all
postscreen_dnsbl_action = enforce
postscreen_dnsbl_reply_map = texthash:/usr/local/etc/postfix/dnsbl_reply
postscreen_dnsbl_sites = <KEYREDACTED>zen.dq.spamhaus.net=127.0.0.2*2
<KEYREDACTED>zen.dq.spamhaus.net=127.0.0.3*2
<KEYREDACTED>zen.dq.spamhaus.net=127.0.0.4*2
<KEYREDACTED>zen.dq.spamhaus.net=127.0.0.10*2
<KEYREDACTED>zen.dq.spamhaus.net=127.0.0.11*2
<KEYREDACTED>zen.dq.spamhaus.net=127.0.0.30*2
<KEYREDACTED>authbl.dq.spamhaus.net=127.0.0.20*2
korea.services.net=127.0.0.2*2 <LOCALDNSBLREDACTED>=127.0.0.2*1
psbl.surriel.com=127.0.0.2*1
postscreen_dnsbl_threshold = 2
postscreen_dnsbl_ttl = 10m
NOTE: If you have not registered for Data Feed access with Spamhaus, you
should do so, which gets you a private 'key' for queries via any
resolver. If you choose not to do so, you MUST query Spamhaus lists with
<LIST>.spamhaus.org base names instead of the
<KEY>.<LIST>.dq.spamhaus.net names as shown above.
I choose to use the Spamhaus multiplexed "Zen" list and define specific
weights for the different sublists. See spamhaus.org for the details of
how that works.
I have my own local DNSBL and the fully-automated PSBL valued at half of
the threshold value because they both can have mixed sources.
It remains useful to repeat the DNSBLs you use for Postscreen in
smtpd_*_restrictions reject_rbl_client directives, because Postscreen
DNS replies are strictly time-limited by Postscreen while those done
later use system resolver timeouts. Because both queries use the
system's resolver and any cache it provides, the second DNS query is
essentially free if the first query got a definitive reply. You can also
use DNSBLs in smtpd_*_restrictions lists that you need to be able to
make exceptions to, by having check_*_access directives ahead of them.
--
Bill Cole
[email protected] or [email protected]
(AKA @[email protected] and many *@billmail.scconsult.com
addresses)
Please keep discussion mailing list replies *on-list*
Not Currently Available For Hire
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
