On 16 Aug 2013, at 07:13 , Grant <[email protected]> wrote: >>>> Use a dns white list with a negative score in the >>>> postscreen_dnsbl_sites, and set a negative value for >>>> postscreen_dnsbl_whitelist_threshold. Simple example: >>>> # main.cf >>>> postscreen_dnsbl_sites = zen.spamhaus.org list.dnswl.org*-1 >>>> postscreen_dnsbl_whitelist_threshold = -1 >>> >>> I've added the following to main.cf: >>> >>> postscreen_dnsbl_sites = list.dnswl.org*-1 >>> postscreen_dnsbl_whitelist_threshold = -1 >>> >>> Thank you for your help! >> >> Yes, that should whitelist known good sites from deep inspection, >> certainly all the big mailers such as google, yahoo, comcast, etc. >> >> However, I wonder why you don't have any dns blacklists such as >> zen.spamhaus.org defined there. The ability of postscreen to reject >> known bad sites without using precious smtpd processes is one of its >> key features. > > I would just rather have a false negative than a false positive. I > get a pretty small amount of spam at this point so I don't think > reducing it further is worth increasing the chances of a false > positive.
zen is, for all practical purposes, perfect. You will not get false positives as everyone in zen is either a confirmed spammer or in the PBL (policy block list). That is to say, no one in zen should be connecting to your mailserver to send mail, ever. <http://www.spamhaus.org/zen/> zen blocks these categories: SBL Direct UBE sources, spam operations & spam services CSS Direct snowshoe spam sources detected via automation CBL (3rd party exploits such as proxies, trojans, etc.) PBL End-user Non-MTA IP addresses set by ISP outbound mail policy SBL and CSS are confirmed spammers. CBL are confirmed exploited machines. PBL are IPs that the IP owner has classified as not allowed to send mail directly. Blocking all of those is perfectly safe. -- If lawyers are disbarred and clergymen defrocked, doesn't it follow that electricians can be delighted, musicians denoted?
