On 19 October 2017 at 10:48, Seb <s...@h-k.fr> wrote: > > ... > Typically, mail sent to <firstname>.<lastname>@<mydomain> is redirected > to <firstname>.<lastname>@gmail.com, the usual email address of the > author. > > I've been using this for 15+ years and it's been great. Unfortunately, I'm > losing the war against spam. In spite of careful configuration of Postfix, > the use of Postgrey and hand-drawn blacklists, too much spam passes > through. What my server regards as legitimate email (but is sometimes spam) > gets resent to sites such as GMail which, in turn, tend to flag all email > from my domain as spam, even legitimate emails. And this is starting to > jeopardize my communication with the rest of the world. > .. >
I relay successfully to Gmail with some small domains. My setup in outline is: - emails from unauthenticated non-local senders are rejected unless to a known approved recipient - many external rbls (requires local DNS server [bind] with forwarding - but with forwarding disabled for rbl zones) - python-policyd-spf (adds header for review by opendmarc) - opendkim (tests 'incoming' emails and adds header for review by opendmarc, signs 'outgoing' emails) - opendmarc - with enforcement for 'incoming' emails - reject_unknown_reverse_client_hostname - amavisd-new - uses Spamassassin (with use_bayes 0), ClamAV (with Sanesecurity), razor, pyzor - bespoke filtering by ip, sender name, client/host name, helo name, headers - fail2ban (tweaked 'dovecot' and bespoke 'postfix-failedauth' jails) - relay-enforcer (bespoke, requires fail2ban and short-term local backup of emails) - permanent ip banning via ufw for repeat fail2ban or unresolved hostname offenders (bespoke) Some of this is bespoke but much of it is easily replicated. I recently gave up using postgrey because the delayed delivery drove users mad. I realise this doesn't answer your question, but it may suggest a different way forward.
