On Sat, Jul 15, 2017 at 10:30:25AM -0700, techlist06 wrote:
> I'm converting to use postscreen. I have a question about dnsbl's
> in postscreen vs smtpd_recipient_restrictions
>
> Following threads here and a git by Steve Jenkins I was going to
> start with this for postscreen:
>
> postscreen_dnsbl_sites =
> zen.spamhaus.org*3
This looks similar to my own config, from which I think Steve adapted
his. I presume therefore that you're using a threshold of 3?
> bl.mailspike.net*2
> b.barracudacentral.org*2
> bl.spameatingmonkey.net
> bl.spamcop.net
> dnsbl.sorbs.net
> psbl.surriel.com
> swl.spamhaus.org*-4
SWL is no longer active; the zone has been emptied.
> list.dnswl.org=127.0.[2..15].0*-2
> list.dnswl.org=127.0.[2..15].1*-3
> list.dnswl.org=127.0.[2..15].[2..3]*-4
> wl.mailspike.net=127.0.0.[17;18]*-1
> wl.mailspike.net=127.0.0.[19;20]*-2
>
> I had my smtpd_recipient_restrictions RBLs as:
> ...
> reject_rbl_client zen.spamhaus.org=127.0.0.[2..255],
> reject_rhsbl_client dbl.spamhaus.org=127.0.1.[2..99],
> reject_rhsbl_sender dbl.spamhaus.org=127.0.1.[2..99],
> reject_rhsbl_helo dbl.spamhaus.org=127.0.1.[2..99],
> reject_rbl_client bl.spamcop.net
> reject_rbl_client psbl.surriel.com
I would not use those two to reject outright. If you wanted to do
that, why not just increase their postscreen scoring to 3?
> reject_rbl_client cbl.abuseat.org,
While there can be occasional slight lag between XBL (part of Zen)
and CBL, that's not significant. You already have this query, in
effect, through the Zen lookup.
> I've seen in other threads configs that left some but not all rbl's
> in their smtpd_recipient_restrictions. If I'm going to reject no
> matter what at smtpd_recipient_restrictions, it seems I should give
> that rbl a high score in postscreen checks and not do the second
> check in smtpd_recipient_restrictions? I understood that the
> second lookup is "free" since it's cached, but is there any
> advantage/disadvantage to having both?
Advantages:
- Second chance in case of slow DNS response to dnsblog(8)
- Second chance in case a Zen-listed host was on one of your
DNS whitelist queries (these should be rare, and I think the
popular DNSWL services check Zen against their own lists.)
Disadvantage:
- The tiny time and CPU expenditure of the second, cached lookup
> Any advise appreciated.
It really can't hurt to leave it enabled, if it's a DNSBL you
considered worthy to use to block outright. I would, however, advise
you to remove the PSBL and spamcop smtpd restrictions.
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
