Thank you, a lot to get started with :-) One thing before I start myself...
I use spamhaus in rspamd, should I move them to postscreen? Or maybe use them both places like you suggest, I guess that they will be "free" here also(?) Thanks again! Danjel On 10 March 2026 20:01:20 CET, Bill Cole via Postfix-users <[email protected]> wrote: >On 026-03-10 at 13:45:01 UTC-0400 (Tue, 10 Mar 2026 18:45:01 +0100) >Danjel Jungersen via Postfix-users <[email protected]> >is rumored to have said: > >> Postscreen.... >> I will have to do some reading, any suggestion? Both regarding places to >> learn > >Use it. Read the official documentation. There's a README on Postscreen and a >man page, plus definitions of relevant settings in the postconf(5) man page. > >DO NOT try to find random unofficial how-tos for Postfix on the web. Many >exist, many are correct, but many are also obsolete and/or simply wrong. These >days, much of the most dangerously wrong technical "documentation" is actually >generated by LLMs making ridiculous errors that seem plausible. > >> and working setups. >> >> I wish to reduce spam, but my major concern is (close to) zero false >> positives... > >Enable the before-greeting tests, avoid the after-greeting tests unless you >understand that they create a de facto greylisting system and are willing to >tolerate the resulting delays. > >Use DNSBLs in postscreen that focus on bots, NOT mixed legit sources. > >My non-default postscreen settings: > > >postscreen_denylist_action = drop >postscreen_disable_vrfy_command = yes >postscreen_greet_action = drop >postscreen_greet_wait = ${stress?{2}:{6}}s >postscreen_whitelist_interfaces = !127.0.0.2,static:all >postscreen_dnsbl_action = enforce >postscreen_dnsbl_reply_map = texthash:/usr/local/etc/postfix/dnsbl_reply >postscreen_dnsbl_sites = <KEYREDACTED>zen.dq.spamhaus.net=127.0.0.2*2 ><KEYREDACTED>zen.dq.spamhaus.net=127.0.0.3*2 ><KEYREDACTED>zen.dq.spamhaus.net=127.0.0.4*2 ><KEYREDACTED>zen.dq.spamhaus.net=127.0.0.10*2 ><KEYREDACTED>zen.dq.spamhaus.net=127.0.0.11*2 ><KEYREDACTED>zen.dq.spamhaus.net=127.0.0.30*2 ><KEYREDACTED>authbl.dq.spamhaus.net=127.0.0.20*2 >korea.services.net=127.0.0.2*2 <LOCALDNSBLREDACTED>=127.0.0.2*1 >psbl.surriel.com=127.0.0.2*1 >postscreen_dnsbl_threshold = 2 >postscreen_dnsbl_ttl = 10m > >NOTE: If you have not registered for Data Feed access with Spamhaus, you >should do so, which gets you a private 'key' for queries via any resolver. If >you choose not to do so, you MUST query Spamhaus lists with ><LIST>.spamhaus.org base names instead of the <KEY>.<LIST>.dq.spamhaus.net >names as shown above. > >I choose to use the Spamhaus multiplexed "Zen" list and define specific >weights for the different sublists. See spamhaus.org for the details of how >that works. > >I have my own local DNSBL and the fully-automated PSBL valued at half of the >threshold value because they both can have mixed sources. > >It remains useful to repeat the DNSBLs you use for Postscreen in >smtpd_*_restrictions reject_rbl_client directives, because Postscreen DNS >replies are strictly time-limited by Postscreen while those done later use >system resolver timeouts. Because both queries use the system's resolver and >any cache it provides, the second DNS query is essentially free if the first >query got a definitive reply. You can also use DNSBLs in smtpd_*_restrictions >lists that you need to be able to make exceptions to, by having check_*_access >directives ahead of them. > > > > >-- > Bill Cole > [email protected] or [email protected] > (AKA @[email protected] and many *@billmail.scconsult.com addresses) > Please keep discussion mailing list replies *on-list* > Not Currently Available For Hire >_______________________________________________ >Postfix-users mailing list -- [email protected] >To unsubscribe send an email to [email protected]
_______________________________________________ Postfix-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
