Miguel Di Ciurcio Filho: > Wietse Venema wrote: > > Postfix snapshot 20091008 includes an updated version of the > > postscreen daemon. This means it is no longer limited to the > > non-production releases. > > > > Nice! > > There is a cool feature on OpenBSD's spamd that makes zombies suffer a lot:
Note, I am primarily interested in keeping the bots away from the real SMTP server. Unlike spamd and other solutions, I am not so much interested in keeping botnets busy. People who want to do that can install spamd. It works with pretty much every MTA. > Discarding the greylist feature, sending data very slowly makes zombies > suffer and does not eat our bandwidth. > > 1) Wait X seconds to send the pre-greeting to detect out of order commands If the client is a pre-greeter, the sooner I find out the better. I want to have the option to quickly drop a connection, or to quickly capture sender/recipient information so that people can monitor what mail is being blocked (capturing this information is next on the todo list; this requires a dummy SMTP engine that could also be used for greylisting, and if people must, for tarpitting). > Another suggestion: rise the default postscreen_greet_wait from 4 to 10 > seconds, or even 15 or 20. I've been using smtpd_error_sleep_time=30s > and so far I had no problems for years and it is very effective keeping > dictionary floods away. > > With a setup like this I believe greylisting is not that relevant any more. You can adjust the pre-greet wait time to 30s if you like, but I would not consider that a safe default setting for everyone. You can find early postscreen results at http://www.postfix.org/wip.html Wietse
