Thank you for your reply and tips :-) > > Your content_filter only applies to MX mail on port 25. >
Yes I want to use bogofilter only for incoming mails from other mail servers. It's configured with a global sieve rule to move spam e-mails to Spam folder for each mailbox. Dovecot is configured so when user moves e-mail from Inbox to Spam or the opposite to train bogofilter with new ham or spam keywords. Also ham/spam messages are forwarded from all the servers to antis...@example.com (using a script that forwards the original messages as attachments) and using another script I train a global bogofilter database which every fews days I copy to all the servers. This way I get good results and only few false positives. > > Perhaps what you want is for the other host to be the MSA (mail > submission agent), and do not accept submission here? > I want to accept submission on server1.example.com as it's easier for end users to use the same hostname for SMTP, POP3 and IMAP. > > This is your content_filter. You're using a script, but better > practice would probably be to use smtp. And of course SMTP doesn't > have to be local; your filter could be elsewhere. Do you have a link with instructions for doing it with SMTP instead of script? Maybe I can setup another server for incoming filtering (bogofilter) which is used by all the servers so I avoid to copy the bogofilter database every few days to all the servers. > > Check out amavisd-new as a better means of content filtering. This > also gives you a means of applying different filtering depending on > origin: the spam filtering needed for submission differs from that > which makes sense on your MX stream. > Maybe I can use MailScanner (hosted in other server) for incoming messages to. It filters spam, virus, bad attachment extensions and some more things. > > You can do this by changing the server name your users use for their > submission server to point to this relayhost instead. It could > possibly be a painless change for the users. > The same hostname is used for other things too, for example FTP. So changing the server1.example.com hostname and point it to smtp.example.com IP is not possible without causing frustration to users. > Note: I am supposing you have a large number of users, because this > level of complexity does not make sense for a small number. > Yes there are more than 60.000 mail accounts split in 55 servers. These servers do shared hosting (www, ftp, dns, mail, mysql, php). > > I don't consider spamcop safe for outright rejection, at least not > without DNSWL whitelisting. Also, CBL is part of Zen, so this is a > wasted lookup. And postscreen has been around for many years now, > you should look at it: > I removed CBL from checks. To add DNSWL whitelisting I have to add under smtpd_recipient_restrictions and before the RBL checks: permit_dnswl_client list.dnswl.org Is this rignt? > http://www.postfix.org/POSTSCREEN_README.html > http://rob0.nodns4.us/postscreen.html I will check this too. I didn't mention it but I also use postgrey (greylisting). If I can get good results with postscreen maybe I can remove postgrey. > You should force all submission through submission/submissions > services, or as mentioned above, through a separate MSA. You don't > want to accept submission on port 25. I know this but some old clients are configured to submission on port 25. Also some sites use port 25 for contact forms and transactional e-mails. Maybe it's time to send them a mass e-mail and notify them to change their submission port to 587 and after some time to remove submission on port 25. >> smtpd_sasl_type = dovecot >> smtpd_sender_restrictions = reject_unlisted_sender, >> permit_sasl_authenticated, >> reject_non_fqdn_sender, check_sender_access >> hash:/usr/local/etc/postfix/sender_access, reject_unknown_sender_domain, >> permit >> smtpd_tls_CAfile = /usr/local/share/certs/ca-root-nss.crt >> smtpd_tls_ask_ccert = yes > > why? Few years ago I was using postfix for sasl authentication. After upgrading postfix to new version the quota patch was not working (the developer abandon it) so I changed it to dovecot authentication because dovecot has plugin for mailbox quota. So these settings are not required any more, right?
