SMTP Sanity Check

I usually point people to the Postfix restrictions and greylisting pages on the CentOS wiki.

The restrictions are a bunch of sanity checks that Postfix has built-in. Those that are generally useful that shouldn't block valid e-mail are rejectnonfqdnhelohostname, rejectinvalidhelohostname, rejectnonfqdnsender, rejectunknownsenderdomain, rejectunauthpipelining, rejectnonfqdnrecipient, rejectunknownrecipientdomain, and rejectunauthdestination. If you are confident your recipient mapping is set up correctly, you can also put rejectunlistedrecipient into your smtpdrecipient_restrictions.

The checksenderaccess is only useful if you want to set up a custom whitelist/blacklist, and rejectrblclient is only if you want to use one or more DNS block lists. If you do want to use a DNSBL, choose carefully as some of them can be overzealous in what they block.

Greylisting has its proponents and detractors. I am one of the former, as it is the one single measure that most cuts down on spam for me. The downside is that mail from new originators will be delayed, usually 5-15 minutes, but potentially for hours before the message is retried. (The introduction section on the wiki page linked above gives a good quick overview.) Once a CLIENT_IP / SENDER / RECIPIENT triplet is cleared, future messages will not be delayed. If you routinely get time-sensitive e-mail from new senders, then greylisting is not for you. If you get upset when mail doesn't arrive immediately from some new web site you created an account on, again it's not for you.

Note that content filtering (Spamassassin) can consume a lot of CPU and memory, depending on how much mail it has to process. If you run other services on this machine, you may want to keep an eye on it or even disable it. But if your machine is lightly loaded, it's probably worth keeping.

One mailserver I administer has only the Postfix restrictions and greylisting configured. There are no DNSBLs and no content filtering. The amount of spam that gets through is pretty small. Just by doing this and making sure you're not an open relay, you're in a pretty good position.

@Vance:

Greylisting has its proponents and detractors. I am one of the former, as it is the one single measure that most cuts down on spam for me. The downside is that mail from new originators will be delayed, usually 5-15 minutes, but potentially for hours before the message is retried.

I had issues with mail server farms and greylisting. Multiple consecutive failures, each originating from a different server in the farm. Sometimes it would be many hours before delivery success. I eventually dropped greylisting because of it. Have you encounter this? Found a way of avoiding it?

@sleddog:

I had issues with mail server farms and greylisting. Multiple consecutive failures, each originating from a different server in the farm. Sometimes it would be many hours before delivery success. I eventually dropped greylisting because of it. Have you encounter this? Found a way of avoiding it?

This hasn't been a real problem for me personally, but I can see how this would arise depending on what service the senders of mail are using. AFAIK, the only workaround is to whitelist the sending servers; postgrey comes with a whitelist that includes many entries, but you may need to put some of your own into postgreywhitelistclients.local.