|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Bill Cole (postfixlists-070913
billmail.scconsult.com)
Date: Wed Apr 02 2008 - 09:01:36 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
At 9:11 PM -0400 4/1/08, Jorey Bump wrote:
[a bunch of good advice snipped]
>You can take a big bite out of spam instantly by adding an RBL. Add
>the following to your main.cf (you can separate restrictions with
>either commas or whitespace):
>
> smtpd_recipient_restrictions =
> permit_mynetworks
> reject_unauth_destination
> reject_rbl_client zen.spamhaus.org
While this is usually a good idea and I am a huge fan of the Spamhaus
DNSBL's, there is something that anyone running a serious mail server
using them should be aware of: they expect large users to chip in,
and will stop answering your queries if you do too many. To
understand what their limits on free use are, see
http://www.spamhaus.org/organization/dnsblusage.html
This is not an issue to take lightly. There have been days when my
personal domain (never more than a dozen actual users) has had more
than the 80k SMTP connections per day limit they set, although that's
very rare and it didn't generate the 320k queries/day limit they set
which is what would be noticeable by Spamhaus. If you have a mail
system handling mail for more than a hundred people, you stand a very
strong chance of exceeding their limits on a regular basis and a risk
of having your DNS queries ignored by Spamhaus without warning. One
should *never* rely on an upstream ISP's recursing resolvers for an
inbound mail server's DNS resolution, but a lot of small businesses
do so routinely and I have seen multiple reports of Spamhaus cutting
off resolution for ISP resolvers, presumably because they aggregate
the usage of thousands of tiny operators into a tremendous flood of
queries. Anyone turning on DNSBL queries either by way of
reject_rbl_client or by the use of something like SpamAssassin that
is not as obvious about its use of those resources needs to look
carefully at their DNS infrastructure to avoid both rudeness and
performance problems.
--
Bill Cole
billscconsult.com
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]