Thank you for your reply and tips :-)

> Your content_filter only applies to MX mail on port 25.

Yes I want to use bogofilter only for incoming mails from other mail servers. 
It's configured with a global sieve rule to move spam e-mails to Spam folder 
for each mailbox. Dovecot is configured so when user moves e-mail from Inbox to 
Spam or the opposite to train bogofilter with new ham or spam keywords. Also 
ham/spam messages are forwarded from all the servers to 
(using a script that forwards the original messages as attachments) and using 
another script I train a global bogofilter database which every fews days I 
copy to all the servers. This way I get good results and only few false 

> Perhaps what you want is for the other host to be the MSA (mail 
> submission agent), and do not accept submission here?

I want to accept submission on as it's easier for end users 
to use the same hostname for SMTP, POP3 and IMAP.

> This is your content_filter.  You're using a script, but better 
> practice would probably be to use smtp.  And of course SMTP doesn't 
> have to be local; your filter could be elsewhere.

Do you have a link with instructions for doing it with SMTP instead of script? 
Maybe I can setup another server for incoming filtering (bogofilter) which is 
used by all the servers so I avoid to copy the bogofilter database every few 
days to all the servers.

> Check out amavisd-new as a better means of content filtering.  This 
> also gives you a means of applying different filtering depending on 
> origin: the spam filtering needed for submission differs from that 
> which makes sense on your MX stream.

Maybe I can use MailScanner (hosted in other server) for incoming messages to. 
It filters spam, virus, bad attachment extensions and some more things.

> You can do this by changing the server name your users use for their 
> submission server to point to this relayhost instead.  It could 
> possibly be a painless change for the users.

The same hostname is used for other things too, for example FTP. So changing 
the hostname and point it to IP is not 
possible without causing frustration to users.

> Note: I am supposing you have a large number of users, because this 
> level of complexity does not make sense for a small number.

Yes there are more than 60.000 mail accounts split in 55 servers. These servers 
do shared hosting (www, ftp, dns, mail, mysql, php).

> I don't consider spamcop safe for outright rejection, at least not 
> without DNSWL whitelisting.  Also, CBL is part of Zen, so this is a 
> wasted lookup.  And postscreen has been around for many years now, 
> you should look at it:

I removed CBL from checks.

To add DNSWL whitelisting I have to add under smtpd_recipient_restrictions and 
before the RBL checks:


Is this rignt?


I will check this too. I didn't mention it but I also use postgrey 
(greylisting). If I can get good results with postscreen maybe I can remove 

> You should force all submission through submission/submissions 
> services, or as mentioned above, through a separate MSA.  You don't 
> want to accept submission on port 25.

I know this but some old clients are configured to submission on port 25. Also 
some sites use port 25 for contact forms and transactional e-mails. Maybe it's 
time to send them a mass e-mail and notify them to change their submission port 
to 587 and after some time to remove submission on port 25.

>> smtpd_sasl_type = dovecot
>> smtpd_sender_restrictions = reject_unlisted_sender, 
>> permit_sasl_authenticated,
>>    reject_non_fqdn_sender, check_sender_access
>>    hash:/usr/local/etc/postfix/sender_access, reject_unknown_sender_domain,
>>    permit
>> smtpd_tls_CAfile = /usr/local/share/certs/ca-root-nss.crt
>> smtpd_tls_ask_ccert = yes
> why?

Few years ago I was using postfix for sasl authentication. After upgrading 
postfix to new version the quota patch was not working (the developer abandon 
it) so I changed it to dovecot authentication because dovecot has plugin for 
mailbox quota. So these settings are not required any more, right?

Reply via email to