<div dir="ltr">Use Postscreen RBL weighting to help prevent false positives.  It's amazing how well this works to make your filtering better than the expensive appliances out there like Barracuda's and IronPort's that can't do this.<div><br></div><div><div>postscreen_cache_retention_time      = 7d</div><div>postscreen_bare_newline_ttl          = 7d</div><div>postscreen_greet_ttl                 = 7d</div><div>postscreen_non_smtp_command_ttl      = 7d</div><div>postscreen_pipelining_ttl            = 7d</div><div>postscreen_dnsbl_ttl                 = 1m</div><div>postscreen_dnsbl_threshold           = 8</div><div>postscreen_dnsbl_action              = enforce</div><div>postscreen_greet_action              = enforce</div><div>postscreen_greet_wait                = ${stress?1}${stress:11}s</div><div>postscreen_bare_newline_action       = enforce</div><div>postscreen_bare_newline_enable       = yes</div><div>postscreen_non_smtp_command_enable   = yes</div><div>postscreen_pipelining_enable         = yes</div><div>postscreen_dnsbl_whitelist_threshold = -1</div><div>postscreen_blacklist_action          = drop</div></div><div><br></div><div><div>postscreen_dnsbl_sites =</div><div>  <a href="http://bl.sorbs.net">bl.sorbs.net</a>=127.0.0.10*9<br></div><div>  <a href="http://dnsbl.sorbs.net">dnsbl.sorbs.net</a>=127.0.0.14*9</div><div>  <a href="http://zen.spamhaus.org">zen.spamhaus.org</a>=127.0.0.[10;11]*8</div><div>  <a href="http://dnsbl.sorbs.net">dnsbl.sorbs.net</a>=127.0.0.5*7</div><div>  <a href="http://zen.spamhaus.org">zen.spamhaus.org</a>=127.0.0.[4..7]*7</div><div>  <a href="http://b.barracudacentral.org">b.barracudacentral.org</a>=127.0.0.2*7</div><div>  <a href="http://zen.spamhaus.org">zen.spamhaus.org</a>=127.0.0.3*7</div><div>  <a href="http://dnsbl.inps.de">dnsbl.inps.de</a>=127.0.0.2*7</div><div>  <a href="http://hostkarma.junkemailfilter.com">hostkarma.junkemailfilter.com</a>=127.0.0.2*4</div><div>  <a href="http://dnsbl.sorbs.net">dnsbl.sorbs.net</a>=127.0.0.7*4</div><div>  <a href="http://bl.spamcop.net">bl.spamcop.net</a>=127.0.0.2*4</div><div>  <a href="http://bl.spameatingmonkey.net">bl.spameatingmonkey.net</a>=127.0.0.[2;3]*4</div><div>  <a href="http://dnsrbl.swinog.ch">dnsrbl.swinog.ch</a>=127.0.0.3*4</div><div>  <a href="http://ix.dnsbl.manitu.net">ix.dnsbl.manitu.net</a>=127.0.0.2*4</div><div>  <a href="http://psbl.surriel.com">psbl.surriel.com</a>=127.0.0.2*4</div><div>  <a href="http://bl.mailspike.net">bl.mailspike.net</a>=127.0.0.[10;11;12]*4</div><div>  <a href="http://bl.mailspike.net">bl.mailspike.net</a>=127.0.0.2*4</div><div>  <a href="http://zen.spamhaus.org">zen.spamhaus.org</a>=127.0.0.2*3</div><div>  <a href="http://bl.spamcannibal.org">bl.spamcannibal.org</a>=127.0.0.2*3</div><div>  <a href="http://dnsbl-1.uceprotect.net">dnsbl-1.uceprotect.net</a>=127.0.0.2*2</div><div>  <a href="http://dnsbl.sorbs.net">dnsbl.sorbs.net</a>=127.0.0.6*3</div><div>  <a href="http://dnsbl.sorbs.net">dnsbl.sorbs.net</a>=127.0.0.9*2</div><div>  <a href="http://dnsbl.sorbs.net">dnsbl.sorbs.net</a>=127.0.0.8*2</div><div>  <a href="http://score.senderscore.com">score.senderscore.com</a>=127.0.4.[0..29]*2</div><div>  <a href="http://hostkarma.junkemailfilter.com">hostkarma.junkemailfilter.com</a>=127.0.0.4*2</div><div>  <a href="http://all.spamrats.com">all.spamrats.com</a>=127.0.0.38*2</div><div>  <a href="http://bl.nszones.com">bl.nszones.com</a>=127.0.0.[2;3]*1</div><div>  <a href="http://dnsbl-2.uceprotect.net">dnsbl-2.uceprotect.net</a>=127.0.0.2*1</div><div>  <a href="http://dnsbl.sorbs.net">dnsbl.sorbs.net</a>=127.0.0.2*1</div><div>  <a href="http://dnsbl.sorbs.net">dnsbl.sorbs.net</a>=127.0.0.4*1</div><div>  <a href="http://score.senderscore.com">score.senderscore.com</a>=127.0.4.[30..69]*1</div><div>  <a href="http://dnsbl.sorbs.net">dnsbl.sorbs.net</a>=127.0.0.3*1</div><div>  <a href="http://hostkarma.junkemailfilter.com">hostkarma.junkemailfilter.com</a>=127.0.1.2*1</div><div>  <a href="http://dnsbl.sorbs.net">dnsbl.sorbs.net</a>=127.0.0.15*1</div><div>  <a href="http://ips.backscatterer.org">ips.backscatterer.org</a>=127.0.0.2*1</div><div>  <a href="http://bl.nszones.com">bl.nszones.com</a>=127.0.0.5*-1</div><div>  <a href="http://wl.mailspike.net">wl.mailspike.net</a>=127.0.0.[18;19;20]*-2</div></div><div><div>  <a href="http://hostkarma.junkemailfilter.com">hostkarma.junkemailfilter.com</a>=127.0.0.1*-2</div><div>  <a href="http://ips.whitelisted.org">ips.whitelisted.org</a>=127.0.0.2*-2</div><div>  <a href="http://safe.dnsbl.sorbs.net">safe.dnsbl.sorbs.net</a>=127.0.[0..255].0*-2</div><div>  <a href="http://list.dnswl.org">list.dnswl.org</a>=127.0.[0..255].0*-2</div><div>  <a href="http://dnswl.inps.de">dnswl.inps.de</a>=127.0.[0;1].[2..10]*-2</div><div>  <a href="http://list.dnswl.org">list.dnswl.org</a>=127.0.[0..255].1*-3</div><div>  <a href="http://list.dnswl.org">list.dnswl.org</a>=127.0.[0..255].2*-4</div><div>  <a href="http://list.dnswl.org">list.dnswl.org</a>=127.0.[0..255].3*-5</div></div><div><br></div><div>The above list is from years of adjustment and tuning to be just right for my environment.  Each SA environment is a little different based on your location and recipients.</div><div><br></div><div>Blocking outright on a single RBL hit is pretty risky so the weighting above makes it an aggregate score of many RBLs for better accuracy.</div><div><br></div><div>If you turn up the sensitivity on your RBLs to block using the list above, then you have to whitelist major mail providers.  Use postwhite on github to generate the postscreen_spf_whitelist.cidr daily.</div><div><br></div><div><div>postscreen_access_list =</div><div>  permit_mynetworks,</div><div>  cidr:/etc/postfix/postscreen_spf_whitelist.cidr,</div><div>  cidr:/etc/postfix/postscreen_yahoo_whitelist.cidr,</div><div>  cidr:/etc/postfix/postscreen_access.cidr</div><div><br></div><div>Yahoo doesn't publish a standard SPF record that can be parsed down to IP blocks so the postscreen_yahoo_whitelist.cidr is built from this command:<br></div></div><div><br></div><div>elinks -dump <a href="https://help.yahoo.com/kb/SLN23997.html">https://help.yahoo.com/kb/SLN23997.html</a> | grep -E '([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?' | awk '{print $1, "\t permit"}' > /etc/postfix/postscreen_yahoo_whitelist.cidr 2>&1<br></div><div><br></div><div>I add a few more custom hosts (SPF domains) to my /etc/postwhite.conf:</div><div><br></div><div><div># CUSTOM HOSTS</div><div># Enter custom hosts separated by a space, ex: "<a href="http://example.com">example.com</a> <a href="http://example2.com">example2.com</a> <a href="http://example3.com">example3.com</a>"</div><div>custom_hosts="<a href="http://comcast.net">comcast.net</a> <a href="http://rr.com">rr.com</a> <a href="http://bluehost.com">bluehost.com</a> <a href="http://mxlogic.net">mxlogic.net</a> <a href="http://messagelabs.com">messagelabs.com</a> <a href="http://messagegears.net">messagegears.net</a> <a href="http://swiftwavenetwork.com">swiftwavenetwork.com</a> <a href="http://authsmtp.com">authsmtp.com</a> <a href="http://eventbrite.com">eventbrite.com</a> <a href="http://trendmicro.com">trendmicro.com</a> <a href="http://spf.mandrillapp.com">spf.mandrillapp.com</a> <a href="http://amazonses.com">amazonses.com</a> <a href="http://radware.com">radware.com</a> <a href="http://zarca-inc.com">zarca-inc.com</a> <a href="http://embarqmail.com">embarqmail.com</a> <a href="http://mailer.surveygizmo.com">mailer.surveygizmo.com</a> <a href="http://spf.ess.barracudanetworks.com">spf.ess.barracudanetworks.com</a>"</div></div><div><br></div><div>I filter for about 40K mailboxes with the configuration above along with greylisting and a high MX that tempfails everything.  Postscreen blocks > 95% of the junk so SpamAssassin only has to handle a small percentage of spam based on content.</div><div><br></div><div>Hope this helps,</div><div>Dave</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Apr 26, 2017 at 12:48 AM, Martin Hepworth <span dir="ltr"><<a href="mailto:maxsec@gmail.com" target="_blank">maxsec@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div>Also graylisting on the inbound connection</div><div><br></div><div>Along with postfix doing unknown recipient rejection</div><div><br></div><div>Martin</div><div><br><div class="gmail_quote"><div><div class="h5"><div>On Tue, 25 Apr 2017 at 18:47, Michael Huntley <<a href="mailto:michael@huntley.net" target="_blank">michael@huntley.net</a>> wrote:<br></div></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5"><div style="font-size:10pt;font-family:Verdana,Geneva,sans-serif">
<p>True.  I only trust the three rbls I use - I do realize spamcop may hit on a false positive from time-to-time.</p>
<p>I wonder -</p>
<p>Danita what are your various smtp/helo/client restrictions within postfix?</p>
<div>Cheers,</div>
<div> </div>
<div>mph</div></div><div style="font-size:10pt;font-family:Verdana,Geneva,sans-serif">
<p>On 2017-04-25 10:38, Peter H. Lemieux wrote:</p>
<blockquote type="cite" style="padding:0 0.4em;border-left:#1010ff 2px solid;margin:0">
<div class="m_880351364133142690m_-2812803874046312027pre" style="margin:0;padding:0;font-family:monospace">I don't enforce RBLs at the SMTP level for fear of false positives.  I let SpamAssassin consult the RBLs instead and score them accordingly, That does mean such messages will need to be handled by MailScanner and not blocked at the doorstep though.<br> <br> Peter<br> <br> <br> <span style="white-space:nowrap">On 04/25/2017 01:33 PM, <wbr>Michael Huntley wrote:</span>
<blockquote type="cite" style="padding:0 0.4em;border-left:#1010ff 2px solid;margin:0"><span style="white-space:nowrap">Danita -</span><br> <br> <span style="white-space:nowrap">In postscreen do you have any <wbr>rbls?</span></blockquote>
</div>
</blockquote>
</div>
<br>
<br></div></div><span class="">
--<br>
MailScanner mailing list<br>
<a href="mailto:mailscanner@lists.mailscanner.info" target="_blank">mailscanner@lists.mailscanner.<wbr>info</a><br>
<a href="http://lists.mailscanner.info/mailman/listinfo/mailscanner" rel="noreferrer" target="_blank">http://lists.mailscanner.info/<wbr>mailman/listinfo/mailscanner</a><br>
<br>
</span></blockquote></div></div><span class="HOEnZb"><font color="#888888"><div dir="ltr">-- <br></div><div data-smartmail="gmail_signature">-- <br>Martin Hepworth, CISSP<br>Oxford, UK</div>
</font></span><br><br>
<br>
--<br>
MailScanner mailing list<br>
<a href="mailto:mailscanner@lists.mailscanner.info">mailscanner@lists.mailscanner.<wbr>info</a><br>
<a href="http://lists.mailscanner.info/mailman/listinfo/mailscanner" rel="noreferrer" target="_blank">http://lists.mailscanner.info/<wbr>mailman/listinfo/mailscanner</a><br>
<br>
<br></blockquote></div><br></div>