> how will SPF records reduce reject of legit?
http://spf.pobox.com/postfix-policyd-1.0.txt .... if ($result eq "pass") { return "DUNNO"; } elsif ($result eq "fail") { return "REJECT " . ($smtp_comment || $header_comment); } elsif ($result eq "error") { return "DUNNO"; } else { return "DUNNO"; } ... I plan to change the "pass" line to "OK" to skip further smtpd restrictions. In my case subscriber_networks is my very last smtpd restriction, I'll be putting the SPF line just above my subscriber_networks .... check_policy_service unix:private/policy, check_client_access pcre:/mxsync/etc/postfix/pcre/subscriber_networks.pcre, ... (4tuple) This will enable me to tell other admins to setup DNS SPF records to bypass my subscriber/joker filters Or at least that's the plan, will tell you how it goes when I test it tomorrow :) > So #comment the entire subscriber networks for the nets that you are most commonly excepting with DUNNO. Not the best egrep's but they should be fairly accurate # zegrep -ci 'reject:.*\.net\[.*subscriber' maillog.0.gz 19162 # zegrep -ci 'reject:.*\.com\[.*subscriber' maillog.0.gz 8178 # zegrep -ci 'reject:.*\.org\[.*subscriber' maillog.0.gz 2 # zegrep -i 'reject:.*subscriber' maillog.0.gz | egrep -v '\.(net)|(com)\[' | wc -l 0 Would rather not loose the 25,000+ rejects, Maybe a hundred-two are legit, the rest are spam for sure. > and/or try the helo_hostnames.regexp which will block a.b.c.d or a-b-c-d in the HELO hostname. Already have that higher in my restrictions, not effective enough alone. ... check_helo_access pcre:/mxsync/etc/postfix/pcre/helo_hostnames_ipaddr.pcre, ... check_helo_access hash:/mxsync/etc/postfix/maps/helo_hostnames.map, hash:/mxsync/etc/postfix/maps/to_recipients_white.map, check_client_access pcre:/mxsync/etc/postfix/pcre/subscriber_networks.pcre, ... Thanks for all the comments Len, I appreciate it. -Tom
