Hello, I've read the official documentation on Postfix postscreen
several times, however I still have a few open questions:
1. Tests after the 220 SMTP server greeting
Am I correct in thinking that the following tests should not be enabled:
postscreen_pipelining_enable
postscreen_non_smtp_command_enable
postscreen_bare_newline_enable
because:
a) Spam bots can easily implement correct protocol behavior.
b) The above tests force the SMTP clients to reconnect at a later
time, which can cause issues with large email providers which
reconnect from different IP addresses. There seems to be no good
way to solve the issue apart from manually allowlisting those
clients.
Do most Postfix admins simply avoid those tests these days?
2. DNSBL sites
The postscreen_dnsbl_sites can be used to dynamically reject clients
which may be sending spam. I am uneasy about using these sites for
various reasons:
a) I've seen numerous complaints about DNSBL sites rejecting
legitimate email.
b) Sites like spamhaus.org implement various restrictions (no
commercial use, no queries from public DNS servers, etc) unless you
pay for a subscription.
c) Privacy concerns about sharing the IP addresses of all SMTP
clients with DNSBL sites. They can potentially build a profile of
SMTP clients interacting with my server.
I'm currently not an email infrastructure admin, but will need to pick
this up in the near future, as I don't want to relay on third party
email providers.
The question I keep asking myself - is it possible to block around 90%
of spam with Postfix postscreen + various Postfix smtp restrictions,
and without relying on DNSBLs or complicated external spam filters?
I would prefer to keep email server design simple and robust, hence no
SQL, LDAP, Rspamd, etc. just Postfix + Dovecot.
Thanks.
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
