On Mon, Feb 13, 2017 at 12:20:45PM +0530, Nitin N wrote:
> Dear Rob (I hope that is your name),
That works, but I also answer to "hey you" and various epithets (you
can even google up a few from this very list. ;) )
> On Sat, Feb 11, 2017 at 8:53 PM, /dev/rob0 <r...@gmx.co.uk> wrote:
> > On Sat, Feb 11, 2017 at 01:55:26PM +0530, Nitin N wrote:
> > > Method 2]
> > >
> > > Use postmulti and create a separate instance for each domain.
> > > In this case, I am not sure how complex it might get if I want
> > > to create further instances for each domain to handle outgoing,
> > > incoming and null-client scenarios.
> >
> > Why would you want to do this? If you're seeking Perfect
> > Headers, why? Users mostly can't read nor understand headers.
>
> [Nitin:]
> One reason why we would like to have Perfect Headers is that one
> of the domains is a B2C platform where many users can register. We
> want to reduce all possibilities (as much as we can) of our first
> email to these users from getting marked as Spam. So, we believe
> having a CA Trusted certificate might just add some more
> credibility in this scenario.
It probably won't help.
Deliverability is a frequent concern for small sites, and there is no
single clear answer (nor group of answers) that will guarantee Inbox
access. Thank the spammers, sigh.
The main steps are:
1. FCrDNS: your PTR value is $myhostname, which in turn resolves to
your IP address. If you don't control the PTR you're sunk.
2. IP Reputation (more on that to follow)
3. Clean non-spammy practices (likewise)
IP reputation depends mostly on clean, non-spammy practices, but it
could also be linked to issues partly beyond your control, such as
your hosting ISP's reputation for abuse. I say "partly" because you
always have the option to move to better-regarded hosting.
You can possibly improve your own reputation by signing up for
DNSWL.org (and possibly other whitelisting services.) I use DNSWL
myself with the postscreen_dnsbl_whitelist_threshold feature, and it
is very useful.
I doubt any major providers use DNSWL directly, but I bet they check
their spam blocking against it.
"Clean" means, of course, that you must not be the source of UBE, nor
should you forward any UBE from your system to others. "Spammy
practices" ... well, there are a lot of those, but they mostly boil
down to attempts to evade blacklisting. If you're consistently
sending from a single IP address (or netblock if you're big enough,
but I don't think you'd be asking here if you were that big), with
static forward and reverse DNS entries, you're not looking like a
blacklist evader.
Another spammy practice which might look tempting is to send
"reminders" about registration emails. You should only send ONE
single verification email, because before address verification you
have no way to know that it was a valid address.
> Honestly, I am not sure if we are being paranoid here since you
> mention below that MTAs don't really verify if the certificate used
> by another MTA is in fact Trusted or not.
Right. And I said "probably won't help" above because it's possible
that some providers might do occasional checks of certificates. But
it certainly won't matter that "example.net" hosts handle mail from
send...@example.com.
> > > Method 3]
> > >
> > > Use FreeBSD jails for each domain and a common jail for all the
> > > spam/virus protection services and use a proxy + NAT on the
> > > main host. This could also help me use postmulti in each jail
> > > in case I need to have multiple instances based on functions.
> > >
> > > So based on your experience/expertise, which method would you
> > > recommend?
>
> Seems like not many have tried Method 3]. I think it might be a
> good path to take from a scalability/security point of view,
> although Jails do add some additional overhead from a maintenance
> perspective.
It seems like a lot of fuss for no actual benefit. You get the warm
fuzzies when you examine your Received: headers, but that's not
getting you out of spam folders.
> > > Further, do you think I can stop using Postgrey as I also have
> > > Postscreen enabled?
> >
> > With after-220 tests enabled, postscreen will easily block
> > anything postgrey might have blocked. Also, greylisting, ISTM,
> > is mostly defeated by spammers' current methods. It's typical
> > for zombies to go through their lists more than once.
>
> Thanks, so that means it bye-bye Postgrey, thanks to Postscreen :)
Yes, and I can recommend my own postscreen config, which you can
find at:
http://rob0.nodns4.us/postscreen.html
Good luck.
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
