I've always wanted to deploy DCC: http://www.rhyolite.com/dcc/
I haven't gotten around to it yet, but it's always struck me as a great idea. On Tue, Feb 11, 2014 at 10:57 AM, David Sommerseth < [email protected]> wrote: > On 11/02/14 02:13, Yasha Karant wrote: > > Our site has been edicted to Microsoft Exchange server with a Barracuda > > spam filter. There are numerous difficulties, one of which is spam not > > being filtered and non-spam being so filtered (significant increase in > > mission critical false positives). At present, the administrative > > authorities (all of whom appear to be management professionals, not > > internals nor systems folks) insist on Exchange, allowing open systems > > standards compliant end-users to have IMAP service. Given this, what > > are the best server-side spam filters, either hardware or software? > > "Best" should be based upon current field-deployed experience and/or > > unsolicited external reviews (not vendor-supported "independent" > reviews). > > I've put up a fairly simple Postfix + Amavis-new + SpamAssasin server in > front of some of my Zimbra servers to get rid of the "worst" trash (we > also had some other requirements too, but that's not important in this > thread). I configured Postfix with several RBLs, SPF and postgrey. In > addition I added these smtpd_recipient_restrictions: > > reject_unknown_reverse_client_hostname, > reject_invalid_hostname, > reject_non_fqdn_hostname, > reject_non_fqdn_sender, > reject_non_fqdn_recipient, > reject_unknown_sender_domain, > > The RBLs I have had great success with are: > > reject_rbl_client bl.spamcop.net, > reject_rbl_client zen.spamhaus.org, > reject_rbl_client bl.blocklist.de, > reject_rbl_client b.barracudacentral.org, > reject_rbl_client bl.spamcannibal.org, > reject_rbl_client cidr.bl.mcafee.com, > > The two first ones and barracudacentral.org seems to be those being > triggered most. Barracudacentral requires a registration (they want the > IP of your DNS resolver doing the queries). > > With all this in place, I reduced the spam which SpamAssassin filtered > out from 75-80% to ~20-25%. > > I had to remove SORBS, as they actually listed a lot of valid SMTP > relays ... and for those companies being hit here, it was just a too > costly operation to fix each time it happened. On the other hand, the > other RBLs catch quite fine what SORBS blocked correctly. > > In regards to SPF, that works pretty well. I did it even stricter than > the default configuration (I use python-policyd-spf), where I set > PermError_reject = True. That enforces that SPF rules which are > explicit much harder. > > And with postgrey, I learned that you need at least a 10 minutes > threshold. For one of the servers I maintain, postgrey blocks ~25% of > all mail attempts. On antoher one (low traffic), the hit rate was so > low I actually removed. So you need to test and see if it can match > your needs. > > > -- > kind regards, > > David Sommerseth >
