I've been running sendmail since the beginning of my online time. 1. Did I see that postfix can run sendmail milters? 2. If so, did I read that postfix can run these separately for inbound vs. outbound? 3. Can it run like a rbl blacklist on inbound and not outbound? 4. If the above is true, does this require separate configurations of postfix or is it already set to allow this out of the box? My reasoning... I've added a few milters which has drastically cut spam due to the extra time spent at the smtp level. For instance, running spamassassin takes a couple or few seconds. This bit of delay does in fact seem to stop many of the slamming spambots sort of like the design of milter-greylist. Except, I don't have to send a temp fail. So, this is a good thing. The negative is it also takes longer for my users to send mail as it is processed the same way during outgoing. Also, we run the SpamHaus blacklist. This works pretty good for inbound, but from time to time one of our hosting clients winds up on the blocklist because they are on a dynamic IP and someone else has recently used it for spamming. One could argue that my client should then go remove their IP from the blacklist to better insure their email actually makes it through any other level of spam filtering on other ISPs. But, that's a rosey concept! So, I would prefer to do it at the smtp level inbound so I can actually reject that mail while not having the embarrassing blocking going on with our users. Yes, this might sound like a double standard, but we do not provide connection service so only very rarely (never so far) does any virus actually send spam through our systems from client applications and I do actually monitor email all the time and stop any spamming immediately. Thanks for any input. John Hinton <who still keeps eyeballing postfix but is so comfortable with sendmail>
John Hinton spake the following on 9/18/2007 12:00 PM:> I've been running sendmail since the beginning of my online time. > > 1. Did I see that postfix can run sendmail milters? > 2. If so, did I read that postfix can run these separately for inbound > vs. outbound? > 3. Can it run like a rbl blacklist on inbound and not outbound? > 4. If the above is true, does this require separate configurations of > postfix or is it already set to allow this out of the box? > > My reasoning... I've added a few milters which has drastically cut spam > due to the extra time spent at the smtp level. For instance, running > spamassassin takes a couple or few seconds. This bit of delay does in > fact seem to stop many of the slamming spambots sort of like the design > of milter-greylist. Except, I don't have to send a temp fail. So, this > is a good thing. The negative is it also takes longer for my users to > send mail as it is processed the same way during outgoing.You should be able to exempt your outgoing mail from the milters.> > Also, we run the SpamHaus blacklist. This works pretty good for inbound, > but from time to time one of our hosting clients winds up on the > blocklist because they are on a dynamic IP and someone else has recently > used it for spamming.If your client is on a dynamic IP, then since you are hosting them that would put you on dynamic IP's. So if you are hosting them, and they are on dynamic IP, you are responsible if they end up on a blacklist, since you have ultimate control of the IP space you host. One could argue that my client should then go> remove their IP from the blacklist to better insure their email actually > makes it through any other level of spam filtering on other ISPs. But, > that's a rosey concept! So, I would prefer to do it at the smtp level > inbound so I can actually reject that mail while not having the > embarrassing blocking going on with our users. Yes, this might sound > like a double standard, but we do not provide connection service so only > very rarely (never so far) does any virus actually send spam through our > systems from client applications and I do actually monitor email all the > time and stop any spamming immediately. > > Thanks for any input. > > John Hinton <who still keeps eyeballing postfix but is so comfortable > with sendmail>-- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!!
John Hinton wrote:> I've been running sendmail since the beginning of my online time. > > 1. Did I see that postfix can run sendmail milters?Yes but different version with varying levels of milter support.> 2. If so, did I read that postfix can run these separately for inbound > vs. outbound?Yes you can apply separate rules for incoming and outgoing emails if they come from separate ips or ports.> 3. Can it run like a rbl blacklist on inbound and not outbound?Yes.> 4. If the above is true, does this require separate configurations of > postfix or is it already set to allow this out of the box?You will need to configure postfix appropriately.> > My reasoning... I've added a few milters which has drastically cut spam > due to the extra time spent at the smtp level. For instance, running > spamassassin takes a couple or few seconds. This bit of delay does in > fact seem to stop many of the slamming spambots sort of like the design > of milter-greylist. Except, I don't have to send a temp fail. So, this > is a good thing. The negative is it also takes longer for my users to > send mail as it is processed the same way during outgoing.I do not know what level of milter support is required by your milters so you may want to check them out. The latest versions of postfix will have more complete support.> > Also, we run the SpamHaus blacklist. This works pretty good for inbound, > but from time to time one of our hosting clients winds up on the > blocklist because they are on a dynamic IP and someone else has recently > used it for spamming. One could argue that my client should then go > remove their IP from the blacklist to better insure their email actually > makes it through any other level of spam filtering on other ISPs. But, > that's a rosey concept! So, I would prefer to do it at the smtp level > inbound so I can actually reject that mail while not having the > embarrassing blocking going on with our users. Yes, this might sound > like a double standard, but we do not provide connection service so only > very rarely (never so far) does any virus actually send spam through our > systems from client applications and I do actually monitor email all the > time and stop any spamming immediately.Sure, just make sure they use port 587 and are only allowed to have their email relayed after authentication and disable filtering rules for port 587.
On 18 September 2007, John Hinton <webmaster at ew3d.com> wrote:> Message: 11<snip>> Also, we run the SpamHaus blacklist. This works pretty good for > inbound, but from time to time one of our hosting clients winds up on > the blocklist because they are on a dynamic IP and someone else has > recently used it for spamming. One could argue that my client should > then go remove their IP from the blacklist to better insure their > email actually makes it through any other level of spam filtering on > other ISPs. But, that's a rosey concept!John: That happened to us, this week. I was unable to use the SMTP on my web site for somewhere between 48-67 hours, because of Spamhaus. Apparently, this morning, when my wife powered things up, we got a clean IP address. When I went to the Spamhaus web site, it showed the IP numbers clear, but, on other lists. Supposedly, if one uses SMTP Authentication, this problem goes away. However, I have always used SMTP Authentication. I do not want to change to another web hosting ISP, because this problem might follow me. And, I've been with them for almost 6 years. Also, Spamhaus says the problem should go away, in 1 or 2 hours, and in the past that was true, but not this time. Good for you, to want to handle this in a better way for your clients! Lanny