On 01/25/2018 02:19 PM, Reindl Harald wrote:
Am 25.01.2018 um 20:45 schrieb David Jones:
On 01/25/2018 01:19 PM, David Jones wrote:
On 01/25/2018 12:59 PM, Reindl Harald wrote:
Am 25.01.2018 um 19:48 schrieb David Jones:
Since very few sites can reject on SPF fails because SPF failures
are so prevalent on legit email, I don't think this is happening in
the real world.
says who?
check_recipient_access proxy:hash:/etc/postfix/skip_spf_check.cf
permit_dnswl_client dnswl-aggregate.thelounge.net=127.0.0.5
permit_dnswl_client wl.mailspike.net=127.0.0.[19;20]
permit_dnswl_client list.dnswl.org=127.0.[0..255].[2;3]
check_policy_service unix:private/spf-policy
You are excluding a ton of clients from SPF checks with that config.
How many total IPs are covered in your local
dnswl-aggregate.thelounge.net whitelist?
My policyd-spf runs from the Postfix master.cf to add headers to all
email for SA to examine.
If you are excluding hundred's of thousands of IPs in those 4 Postfix
config lines, then that's not a legitimate claim to be rejecting SPF
fails.
that's called a smart setup which prevents false-positives and using SPF
in the mid-stage where the spf-polidcyd for SPF_PAS does a "permit" and
hands over to the milters to save most of the generic stuff
You usually are very good with providing numbers so show us how many
rejects are happening from SPF failure out of the total volume of email
not much, but that's not because the whitelists but because postscreen
filters out the majority long before smptd even get a connection
SPF_NONE which maskes it to the milters get a 0.5 penalty
current month
Connections: 215161
Postscreen WL: 20214 (9.39 %)
Delivered: 38684
Blocked: 176477
Invalid User: 858
Disallowed User: 16
Reject Postscreen: 90180
Reject Postfix: 6403
Reject Milter: 2188
Reject Temporary: 497
Greylisted: 1768
Blacklist: 89565
Pregreet: 75250
Hangup: 124674
Protocol Error: 118
Illegal Syntax: 2
SpamAssassin: 2184
Virus (Milter): 4
Virus (SA): 292
Helo: 263
Subject: 96
From: 20
Attachment: 1
Header Length: 5
Sender Regex: 1
Sender Blocked: 163
Sender Verify: 42
Sender Invalid: 61
Sender Spoofed: 46
Sender Parked: 0
Spam-TLD: 82
PTR Missing: 142
PTR Generic: 425
SPF: 155
It sounds like to a good/solid setup but I am still thinking there are a
lot of potential SPF failures being excluded by those 4 Postfix lines.
How many mailboxes do you filter for? Those numbers seem rather low so
maybe a few hundred mailboxes?
--
David Jones