> On 21 Aug 2019, at 13:58, Gilles Chehade <gil...@poolp.org> wrote:
>
> On Wed, Aug 21, 2019 at 12:50:10PM +0200, Michiel van Es wrote:
>> Hi!
>>
>
> Hi,
>
>
>> I am running a small VPS with 1 GB memory with Debian 10 amd64 with
>> OpenSMTPD (6.0.3) for private email and am looking what my best options are
>> to limit spam.
>> I know there are some filters from Joerg
>> (https://www.mail-archive.com/misc@opensmtpd.org/msg04402.html) but am not
>> sure if these will work with my version of OpenSMTPD (I get a syntax error
>> when trying the old filter syntax).
>>
>> I can also relay everything to Amavisd/SpamAssassin but then email won???t
>> get blocked at the SMTP level, also ASSP or Rspamd is an option but they are
>> pretty resource intensive and will eat all my VPS memory ;)
>>
>> What would be my best option?
>>
>
> 6.0.3 is a fairly old version and there aren't many options available.
>
> if you're forced to stick with that version, which suffers from at least
> one denial of service as far as I know, your best option is to relay via
> something like SpamPD so it can interface with SpamAssassin, but this is
> not going to operate at SMTP level, it will happen at delivery time.
That’s interesting since Debian has a good track record of back porting
security fixes in their stable packages.
I will ask the maintainer if he applied the patch or upgraded the package to
latest version.
For now I use spampd which works fine for bayesian spam detection.
>
> there will be no way of blocking at SMTP level before next release 6.6.0
> that is going to happen in a few weeks, during October, so any option is
> going to be post delivery: either as a custom MDA, or as a relay via for
> some smtp proxy that will reinject in smtpd like the dkimproxy stuff.
I will wait for 6.6.0 ;)
>
> your best option would really be to build from source 6.4.2: it will not
> block at SMTP level but will provide mechanisms to ease interfacing with
> spamassassin or rspamd for post-SMTP handling.
>
> if you're not too easily scared, running the development version is good
> too because it's very close to release now, very stable and will not get
> much changes until October as I'm busy busy these days ;-)
Might give that a try, thanks :)
>
>
>> I like to do some DNSBL and SpamAsssassin checks if possible.
>>
>> My config if that is to any use to give some insights:
>>
>> pki server.pragmasec.nl certificate
>> "/etc/letsencrypt/live/pragmasec.nl/fullchain.pem"
>> pki server.pragmasec.nl key "/etc/letsencrypt/live/pragmasec.nl/privkey.pem"
>> listen on localhost
>> listen on eth0 port 25 tls pki server.pragmasec.nl hostname
>> server.pragmasec.nl auth-optional
>> listen on eth0 port 587 tls-require pki server.pragmasec.nl hostname
>> server.pragmasec.nl auth
>> table vdomains file:/etc/mail/domains
>> table vusers file:/etc/mail/vusers
>> expire 7d
>> limit mta inet4
>> accept from any for domain <vdomains> virtual <vusers> deliver to mda
>> "/usr/lib/dovecot/dovecot-lda -f %{sender} -a %{rcpt}"
>> accept from local for any relay
>>
>> Cheers,
>>
>> Michiel
>>
>>
>>
>
> --
> Gilles Chehade @poolpOrg
>
> https://www.poolp.org patreon: https://www.patreon.com/gilles