I've always wanted to deploy DCC:
http://www.rhyolite.com/dcc/

I haven't gotten around to it yet, but it's always struck me as a great
idea.




On Tue, Feb 11, 2014 at 10:57 AM, David Sommerseth <
sl+us...@lists.topphemmelig.net> wrote:

> On 11/02/14 02:13, Yasha Karant wrote:
> > Our site has been edicted to Microsoft Exchange server with a Barracuda
> > spam filter.  There are numerous difficulties, one of which is spam not
> > being filtered and non-spam being so filtered (significant increase in
> > mission critical false positives).  At present, the administrative
> > authorities (all of whom appear to be management professionals, not
> > internals nor systems folks) insist on Exchange, allowing open systems
> > standards compliant end-users to have IMAP service.  Given this, what
> > are the best server-side spam filters, either hardware or software?
> > "Best" should be based upon current field-deployed experience and/or
> > unsolicited external reviews (not vendor-supported "independent"
> reviews).
>
> I've put up a fairly simple Postfix + Amavis-new + SpamAssasin server in
> front of some of my Zimbra servers to get rid of the "worst" trash (we
> also had some other requirements too, but that's not important in this
> thread).  I configured Postfix with several RBLs, SPF and postgrey.  In
> addition I added these smtpd_recipient_restrictions:
>
>         reject_unknown_reverse_client_hostname,
>         reject_invalid_hostname,
>         reject_non_fqdn_hostname,
>         reject_non_fqdn_sender,
>         reject_non_fqdn_recipient,
>         reject_unknown_sender_domain,
>
> The RBLs I have had great success with are:
>
>         reject_rbl_client bl.spamcop.net,
>         reject_rbl_client zen.spamhaus.org,
>         reject_rbl_client bl.blocklist.de,
>         reject_rbl_client b.barracudacentral.org,
>         reject_rbl_client bl.spamcannibal.org,
>         reject_rbl_client cidr.bl.mcafee.com,
>
> The two first ones and barracudacentral.org seems to be those being
> triggered most.  Barracudacentral requires a registration (they want the
> IP of your DNS resolver doing the queries).
>
> With all this in place, I reduced the spam which SpamAssassin filtered
> out from 75-80% to ~20-25%.
>
> I had to remove SORBS, as they actually listed a lot of valid SMTP
> relays ... and for those companies being hit here, it was just a too
> costly operation to fix each time it happened.  On the other hand, the
> other RBLs catch quite fine what SORBS blocked correctly.
>
> In regards to SPF, that works pretty well.  I did it even stricter than
> the default configuration (I use python-policyd-spf), where I set
> PermError_reject = True.  That enforces that SPF rules which are
> explicit much harder.
>
> And with postgrey, I learned that you need at least a 10 minutes
> threshold.  For one of the servers I maintain, postgrey blocks ~25% of
> all mail attempts.  On antoher one (low traffic), the hit rate was so
> low I actually removed.  So you need to test and see if it can match
> your needs.
>
>
> --
> kind regards,
>
> David Sommerseth
>

Reply via email to