>> On Jun 17, 2016, at 7:25 AM, Vincent Fox <vb...@ucdavis.edu> wrote: >> >> Greylisting imo helps a lot with RBL lag.
Greylisting is a must and it definitely helps with RBL lag. >It can, but it's definitely a double edge sword. Depending on the way the >remote MTA works, I've experienced emails being delayed for quite sometime. I >had a lot of users requesting to be removed from the >graylist, and eventually >decided to drop it. When you're waiting for the confirmation of a PO from a >new vendor on raw materials you need for a batch being made tomorrow it can be >very frustrating :) Use postscreen for RBL weighting to spread out the responsibility so unreliable RBLs can still be used to add the the scoring. Then use https://github.com/stevejenkins/postwhite to add in trustworthly sending domains and large ISPs that are too big to block (yahoo, aol, comcast, etc.) without too many consequences. Then use that same list from postwhite to bypass greylisting (put first in list before greylisting). Over time, you will have a good list of trustworthy senders so greylisting will only happen on a subset of inbound email so most mail won't have a delay. Brand new compromised senders will be delayed. See the postscreen_spf_whitelist.cidr entries below.: smtpd_recipient_restrictions = permit_mynetworks, check_helo_access pcre:/etc/postfix/helo_access_pcre, check_client_access hash:/etc/postfix/access, check_client_access cidr:/etc/postfix/postscreen_spf_whitelist.cidr, permit_sasl_authenticated, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_non_fqdn_hostname, reject_invalid_hostname, reject_unauth_destination, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unknown_reverse_client_hostname, reject_unlisted_sender, reject_unlisted_recipient, # SQLgrey on 127.0.0.1:2501 check_policy_service inet:127.0.0.1:2501, # must have subscription to IVM to use this one below reject_rhsbl_sender uri.invaluement.com, reject_unverified_recipient, permit postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/postscreen_access.cidr cidr:/etc/postfix/postscreen_spf_whitelist.cidr I have some scripts that analyze my SA scoring for the sending domains to give me some safe/trustworthy domains to add to that postwhite list since they always score very low and have some other characteristics like being listed in whitelists. These senders with good reputations and have valid unsubsubscribe processes get the green light through my mail server even in SA by using SHORTCIRCUIT meta rules. This makes SA even faster by scanning less mail when it would have scored it very low consistently anyway. >They MTA will let the remote client know the email was rejected, or the local >client can go into SPAM folder and find the email, with graylists, the sender >nor the receiver may realize the status of the email. >> >> Delay suspect IP long enough that by the time they retry, if they do, they >> are on half a dozen RBL and score high and reject. >> >> Sent from my iPhone >>
