On 5 Mar 2018, at 3:59, Karol Augustin wrote:
On 2018-03-05 6:39, Bill Cole wrote:
On 3 Mar 2018, at 14:25, J Doe wrote:
Should I then continue to use postscreen for the zombie detection
but then move my DNSRBL entries to smtpd restrictions ?
Apologies for belabouring the point - I’m just not understanding.
Not all DNSBLs are equivalent. SOME are suited for use in postscreen
as absolute bans, e.g. Spamhaus Zen. The postscreen DNSBL
configuration should be designed to only block IPs that *only* send
spam. There are DNSBLs designed to be hyper-sensitive, to not give
any
sender a free pass, and to generate occasional collateral damage.
There are DNSBLs designed to be used in complex anti-spam systems and
NOT as a unilateral basis for blocking. Those sorts of DNSBL should
not be used in postscreen with a score at or above
postscreen_dnsbl_threshold.
Hi Bill,
Would you mind sharing which RBLs you recommend to use in postscreen?
postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.2*2
zen.spamhaus.org=127.0.0.3*2 zen.spamhaus.org=127.0.0.4*2
zen.spamhaus.org=127.0.0.10*2 zen.spamhaus.org=127.0.0.11*2
psbl.surriel.com=127.0.0.2*1 ix.dnsbl.manitu.net=127.0.0.2*1
postscreen_dnsbl_threshold = 2
For my own system I also use 2 local DNSBLs scored at 1 (both are full
of non-spam sources by design) and reuse all of those and more in smtpd,
with whitelisting of various sorts to protect mail that needs
protecting. That's a bespoke config that isn't suitable for most sites.
(And those local DNSBLs tell intentional lies to the outside world
anyway.)
