[CentOS] Recommend Mail Server

Thomas Harold thomas-lists at nybeta.com
Wed Nov 25 19:03:30 UTC 2009


On 11/23/2009 1:59 PM, Robert Moskowitz wrote:
> Susan Day wrote:
>> Hi;
>> I don't want sendmail. What's a good secure email server that I can
>> yum? I really only need smtp right now, but who knows what the future
>> will bring?
>
> See my slightly prior post on:  Re: [CentOS]
> smtp+pop3+imap+tls+webmail+anti spam+anti virus
>

We use postfix, dovecot, clamav milter (reject at SMTP time), spf policy 
check (with rejecting on SPF_FAIL at SMTP time), and AmavisD-New w/ 
SpamAssassin for scoring what's left.

...

For us, reject_invalid_helo_hostname and reject_non_fqdn_helo_hostname 
in the smtpd_helo_restrictions ends up blocking probably 80% of all 
inbound spam/virus attempts.  In a few years, I have yet to see someone 
complain about a false positive reject from those restrictions.  Our 
users would see 4x-6x more mail that would have to be virus scanned or 
spam scored without those checks.

The reject_unknown_helo_hostname check, OTOH, is much more likely to 
reject mail from a valid mail server.  It's a good check, but the false 
positive rate for us is in the 1:2000 to 1:3000 rejects will be a false 
positive.  So we have a whitelist where we list the HELOs of 
misconfigured mail servers of companies that we do business with.  We 
had to list a bunch of folks back when we started, but it's trickled 
down to about 1 per month now.  And in 90% of the cases, you can tell 
from the HELO name that it's a Microsoft Exchange server.

http://tools.ietf.org/html/rfc5321#section-2.3.5

Used to use some DNSBL based rejects at SMTP time, but now we just let 
that stuff through and have SpamAssassin score it.  Then we use 
server-side sieve scripts to quarantine stuff higher then 8.0-9.0 
directly into the server-side Junk folder.  (We score and tag at 4.5, 
but don't quarantine until 8.0 or 9.0.)


More information about the CentOS mailing list