Bill Cole:
> On 31 Oct 2018, at 17:12, Noel Jones wrote:
>
> > Postscreen *should not* be used on ports used for client
> > authenticated SMTP.
>
> Generally, this has been true...
>
> However, I have recently seen spambots using compromised accounts on
> port 587 without properly waiting for the greeting banner. This was on a
> Sendmail installation, which already (inadvertently) had a GreetPause
> applied to port 587.
>
> I intend to experiment with postscreen on 587 on the next Postfix system
> I work with where compromised accounts are a problem. I hope that by
> then someone else will have pioneered that tactic and worked through all
> the pitfalls here.
You would not be able to use many DNSBLs such as zen.spamhaus.org,
nor any of the 'after 220' protocol tests.
It wouod take a ton of master.cf configuration.
master.cf:
submission inet .... postscreen
-o smtpd_service=submission-smtpd
-o postscreen_cache_map=$submission_cache_map
-o postscreen_dnsbl_sites=$submission_dnsbl_sites
-o postscreen_xxx=$submission_xxx
...
submission-smtpd pass ... smtpd
-o smtpd_xxxx=$submission_xxxx
...
With suitable submission_mumble parameter settings in master.cf.
Wietse
