On 26 May 2018, at 23:27, Voytek <li...@sbt.net.au> wrote: > On Sun, May 27, 2018 3:22 am, /dev/rob0 wrote: > >> The obvious solution, if dnsbl.spfbl.net is blocking real mail, is to >> stop using that list, or possibly to lower its score below your [unstated] >> threshold score. > > Thanks for all replies and comments! > > I guess my starting point should be that, lower the score ?
No, your starting point should be to not use an RBL if you don’t know what it is doing. Blacklisting a domain for not having a valid rDNS is something you can do right in postfix, without needing to reach out to an RBL. reject_unknown_reverse_client_hostname or reject_unknown_client_hostname, but these have significant impact on some server for legitimate mail. You can search the archives (or google) for various discussions on these two settings, how they differ, and which you might want to use, if either. > postscreen_dnsbl_sites = zen.spamhaus.org*5, psbl.surriel.com*2, > bl.spamcop.net*2, dnsbl.spfbl.net*2, > db.wpbl.info, dnsbl.dronebl.org, pofon.foobar.hu, > bl.ipv6.spameatingmonkey.net*2,dnsbl6.anticaptcha.net, > bl.spameatingmonkey.net*2, bl.mailspike.net, b.barracudacentral.org*2, > dnsbl.sorbs.net, ubl.unsubscore.com, truncate.gbudb.net, > list.dnswl.org*-3, zz.countries.nerd.dk=127.0.3.58*-1 Treating all replies from the RBLs as the same is, IMHO, a mistake. This is what I have: postscreen_dnsbl_threshold = 9 postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[4..11]*9 hostkarma.junkemailfilter.com=127.0.0.2*5 zen.spamhaus.org=127.0.0.[2..3]*4 hostkarma.junkemailfilter.com=127.0.0.3*2 hostkarma.junkemailfilter.com=127.0.2.1*4 hostkarma.junkemailfilter.com=127.0.2.2*2 hostkarma.junkemailfilter.com=127.0.0.2*4 hostkarma.junkemailfilter.com=127.0.1.2*4 hostkarma.junkemailfilter.com=127.0.0.1*-4 hostkarma.junkemailfilter.com=127.0.0.5*-2 hostkarma.junkemailfilter.com=127.0.2.3*-2 For example, I score zen differently for 127.0.0.2-3 (much lower) than for 4-11. (.2 is the SBL which hits more ‘false’ positives than the other for my mailstream and .3 is similar) while 4-11 are server that should never be sending mail (DHCP ISP machines, exploited servers, etc). I *do not* recommend you copy/paste these into your setup. For one thing, I haven’t evaluated them in quite a while since zen hits nearly everything that gets blocked, so I’m not really sure how the downstream ones are performing right now, but mostly because every server is a bit different. -- Like the moment when the brakes lock/And you slide towards the big truck/You stretch the frozen moments with your fear