On Mon, Mar 12, 2018 at 09:59:27AM +0000, Allen Coates wrote: > Late last year I tried the Postscreen "deep protocol tests" as a > primitive form of greylisting; It was a high-maintenance exercise > for minimal benefit and I have since stopped using it. > > Google and the like, use a different mail server for each connect > attempt. You need an actively maintained whitelist to bypass the > grey-list process.
Postfix 2.11+ (which is to say, all supported versions of Postfix at this time) supports DNS whitelists via postscreen_dnsbl_whitelist_threshold, and this is a very good and low-maintenance solution to that problem. Large senders such as Google are all listed at dnswl.org. What few smaller senders you encounter typically retry from the same IP address. We get the potential benefit of greylisting without much pain. > Also, (in my case) I was plagued by Ukrainian spamming mail > servers; they just retried and got through. Of course. The only potential benefit of greylisting a real MTA is that DNSBLs might have listed a spamming one by the time it retries delivery. > The experiment DID stop a few zombies, but not many. Every little bit helps, in such a hostile protocol as SMTP. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
