On Aug 4, 2012, at 10:08 AM, /dev/rob0 wrote: > I'm not addressing the subject of the post, but just picking over the > configuration snippet. > > On Wed, Aug 01, 2012 at 09:48:45PM -0500, Chad M Stewart wrote: >> [root@mta01 /usr/local/etc/postfix]# postconf -n|grep postscreen > [snip] >> postscreen_client_connection_count_limit = 10 > > I'm not sure why you did this. Some MTAs, notably qmail, are likely > to assault you with many simultaneous connections. This non-default > setting might cause difficulty at times in receiving legitimate mail, > albeit from impolite clients.
To limit impolite clients from sucking up my resources. Just because they want to use a fire hose doesn't mean I have to drink at that rate. If a sending system needs more than 10 connections, then maybe they'd better fix their queue algorithm. Starting up and tearing down a connection consumes resources. More efficient to send more than a single message over a connection. > >> postscreen_dnsbl_sites = sbl.spamhaus.org*1, xbl.spamhaus.org*1, >> pbl.spamhaus.org*1 >> postscreen_dnsbl_threshold = 1 > > This makes no sense. You make three queries, risking going over the > Spamhaus free limit, or your company's paid limit as the case may be, > gaining nothing over doing a single Zen lookup. I'm testing things out. I'll have to figure out how I can get at the response from spamhaus so that I can block/accept as I wish. I may have a need to not block IPs on the PBL list, so if I query zen, then I've got to check the response and act accordingly. I'm not sure how to do that within Postfix/postscreen yet. > > Consider a higher threshold and enough lower-scored DNSBLs to be able > to reach it. I use postscreen_dnsbl_threshold=3, and score Zen 3. My > configuration is essentially what I have posted here in the past. > >> postscreen_greet_banner = "Welcome to our mail server" > > This is non-compliant and a bad idea. That is prepended to the banner, the banner becomes a multi-line response, with the last line being the fqdn of the host. -Chad > -- > http://rob0.nodns4.us/ -- system administration and consulting > Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: > > !DSPAM:2,501d3af626311889815724! > >
