On 09/13/2010 03:55 PM, Wietse Venema wrote:
Postscreen is a single Postfix 2.8 daemon that keeps spambots away
from Postfix SMTP server processes, so that more Postfix server
resources remain available for handling mail. It will hopefully
become part of the next stable Postfix release.
After adding DNSBL weights and filters two weeks ago, I rewrote
the remainder of postscreen in the past 1+ week, and spent the past
several days updating documentation so that people can actually
use this thing. The re-born postscreen has been running on several
sites since the beginning of the weekend.
Postscreen now has a built-in SMTP protocol engine that allows it
to log the helo/sender/recipient of rejected mail. With a few good
DNSBL lists, this can dramatically reduce the load on Postfix SMTP
servers (blocking mail without logging is not an option for everyone).
One cautionary note: postscreen is meant to handle mail from MTAs
not end-user clients. Its protocol tests are safe for properly-
implemented MTAs, but they have not been tested with end-user
systems. Of course end-user systems should connect to the submission
port, not the port 25 that postscreen listens on...
See http://www.porcupine.org/postfix-mirror/POSTSCREEN_README.html
for an overview, configuration information and more.
The last code drop was postfix-2.8-20100913, which is the same code
as snapshot 20100912, but with a bunch of minor documentation fixes.
Be sure to review the RELEASE_NOTES file if you are upgrading from
an older postscreen version - the DNSBL implementation now reveals
the DNSBL domain name in SMTP replies, so it needs to be censored
to avoid disclosing ZEN etc. passwords.
Wietse
Wietse,
Thanks for the update. I'm working on implementing this now, however,
I'm a bit confused with the postscreen_dnsbl_reply_map option.
I know this is useful when you enabled the DEEP checks, which I plan on
doing, but want to make sure I have the full concept behind the above
parameter before I turn anything on.
I've not had to use anything involving a DNSBL and a password before so
just curious what I'm missing.
Thanks for the hard work!
-Matt
