[Linux-aus] SPF problems too

Noel Butler noel.butler at ausics.net
Wed Mar 2 08:21:00 AEDT 2016 

On 02/03/2016 00:23, Steve Walsh wrote:

> Hello Russell
> 
> On 03/02/2016 12:23 AM, Russell Coker wrote: 
> 
>> Wouldn't it make more sense to have greylisting running on the addresses that 
>> aren't for subscriber-only lists?  When a list only allows subscribers to post 
>> it won't benefit from greylisting.
> 
> Taking an example transaction from wikipedia (it's on the internet, it must be true, right?);
> 
> 1: 220 smtp.example.com ESMTP Postfix
> 2: HELO relay.example.org 
> 3: 250 Hello relay.example.org, I am glad to meet you
> 4: MAIL FROM:<bob at example.org>
> 5: 250 Ok
> 6: RCPT TO:<alice at example.com>
> 7: 250 Ok
> 8: RCPT TO:<theboss at example.com>
> 9: 250 Ok
> <snip>
> 
> At the moment, postgrey kicks in at line 4. Are you suggesting we (somehow) reconfigure postgrey to start later in the conversation, say around line 6 or 8?
> 
> I've spent the last several months trying various modifications on "how to make greylist apply to the receiving domain and not the sender domain", and have not been able to find a way to make greylisting, a sender deferring technology, function at a per-recipient domain level. 
> 
> Short of writing our own version of the SMTP standard, we're just plain stumped on how we can make this happen. Can you perhaps share a link to a page with instructions on how to make postgrey wait longer in the conversation, and to defer at the recipient domain level, rather than at the first identifying stage of the SMTP transaction like it currently does?
> 
> Or, alternatively, are you suggesting that LA runs multiple mail servers for each type of service we currently consolidate down to one machine, such as lists, general mail, RT instances, conferences, etc, and only configure greylisting on the instances that really critically need it?
> 
> regards
> 
> _______________________________________________
> linux-aus mailing list
> linux-aus at lists.linux.org.au
> http://lists.linux.org.au/mailman/listinfo/linux-aus

We've found greylisting is waste of time these days, as Russ points out,
all it does it delay legit mail, their connection has to hit anyway, so
better to rely on better configurations... 

smtpd_recipient_restrictions = 
reject_unknown_sender_domain
reject_unknown_recipient_domain
permit_mynetworks
reject_unauth_destination 

... 

reject_unknown_client_hostname
reject_unknown_helo_hostname
reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname
reject_non_fqdn_sender
reject_non_fqdn_recipient
reject_unlisted_recipient
reject_unlisted_sender 

reject_rbl_client f.oo.bar 

.... 

check_policy_service unix:private/spfpolicy 

..and of course setup amavis with spamassassin etc to catch those that
do venture through. 

and use the KISS principle with all your mail, not doing so, only asks
for problems (its why we at xyz pissed of a large SAN with cluster FS's
and replaced it with good 'ol NAS (NFS), been no outages since.) 

-- 

 		If you have the urge to reply to all rather than reply to list, you
best first read  http://members.ausics.net/qwerty/

 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linux.org.au/pipermail/linux-aus/attachments/20160302/63058a7f/attachment.html>

More information about the linux-aus mailing list