[CentOS] Recommend Mail Server
Thomas Harold
thomas-lists at nybeta.com
Wed Nov 25 19:03:30 UTC 2009
On 11/23/2009 1:59 PM, Robert Moskowitz wrote:
> Susan Day wrote:
>> Hi;
>> I don't want sendmail. What's a good secure email server that I can
>> yum? I really only need smtp right now, but who knows what the future
>> will bring?
>
> See my slightly prior post on: Re: [CentOS]
> smtp+pop3+imap+tls+webmail+anti spam+anti virus
>
We use postfix, dovecot, clamav milter (reject at SMTP time), spf policy
check (with rejecting on SPF_FAIL at SMTP time), and AmavisD-New w/
SpamAssassin for scoring what's left.
...
For us, reject_invalid_helo_hostname and reject_non_fqdn_helo_hostname
in the smtpd_helo_restrictions ends up blocking probably 80% of all
inbound spam/virus attempts. In a few years, I have yet to see someone
complain about a false positive reject from those restrictions. Our
users would see 4x-6x more mail that would have to be virus scanned or
spam scored without those checks.
The reject_unknown_helo_hostname check, OTOH, is much more likely to
reject mail from a valid mail server. It's a good check, but the false
positive rate for us is in the 1:2000 to 1:3000 rejects will be a false
positive. So we have a whitelist where we list the HELOs of
misconfigured mail servers of companies that we do business with. We
had to list a bunch of folks back when we started, but it's trickled
down to about 1 per month now. And in 90% of the cases, you can tell
from the HELO name that it's a Microsoft Exchange server.
http://tools.ietf.org/html/rfc5321#section-2.3.5
Used to use some DNSBL based rejects at SMTP time, but now we just let
that stuff through and have SpamAssassin score it. Then we use
server-side sieve scripts to quarantine stuff higher then 8.0-9.0
directly into the server-side Junk folder. (We score and tag at 4.5,
but don't quarantine until 8.0 or 9.0.)
More information about the CentOS
mailing list