On 24 May 2020, at 19:04, Ian Evans <dheianev...@gmail.com> wrote:
> Based on another thread here, I want to move to using postscreen/postwhite
> and ditch postgrey.
>
> Just want to make sure I don't bungle stopping postgrey.
>
> So...
>
> - edit main.cf and remove "check_policy_service inet:127.0.0.1:10023" from
> smtpd_recipient_restrictions.
Comment it out.
And don't forget to comment out the corresponding section in master.cf
> - restart Postfix
That will do it.
> - purge the postgrey package.
Eventually. Don't need to rush.
> Then go about getting postscreen working.
As other have said, I'd do that first. But it's really just a few lines.
These are my settings, -ish.
postscreen_access_list = cidr:$config_directory/postscreen_access.cidr
# Maybe start with warn if you're worried
postscreen_blacklist_action = drop
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = <list of RBLs and maybe DNSWL.org whitelists>
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_ttl = 1d
postscreen_dnsbl_whitelist_threshold = -1
postscreen_greet_action = enforce
postscreen_greet_banner = mail.covisp.net ESTMP -- Please wait
postscreen_greet_wait = 11s
I've settled on 11s, but you should probably not set postscreen_greet_wait
unless you need to as the default is there for a reason. I found for my server
11s cut off a lot more mail, and I haven’t noticed missing anything I want.
Default:
postscreen_greet_wait = ${stress?{2}:{6}}s
The most complicated part is setting up and scoring the rbls, though searching
the list archives for 'postscreen_dnsbl_sites' will find you some settings
other people use and you can start from there. Be sure and check the specific
RBLS to be sure that they allow open access and that they still exist. Zen is
very popular an in my opinion the best one out there, but you need to pay for
commercial access.
--
You'd be a very high-level X-Men like Emma Frost's Diamond Form.
