On 11/23/2009 1:59 PM, Robert Moskowitz wrote:
Susan Day wrote:
Hi; I don't want sendmail. What's a good secure email server that I can yum? I really only need smtp right now, but who knows what the future will bring?
See my slightly prior post on: Re: [CentOS] smtp+pop3+imap+tls+webmail+anti spam+anti virus
We use postfix, dovecot, clamav milter (reject at SMTP time), spf policy check (with rejecting on SPF_FAIL at SMTP time), and AmavisD-New w/ SpamAssassin for scoring what's left.
...
For us, reject_invalid_helo_hostname and reject_non_fqdn_helo_hostname in the smtpd_helo_restrictions ends up blocking probably 80% of all inbound spam/virus attempts. In a few years, I have yet to see someone complain about a false positive reject from those restrictions. Our users would see 4x-6x more mail that would have to be virus scanned or spam scored without those checks.
The reject_unknown_helo_hostname check, OTOH, is much more likely to reject mail from a valid mail server. It's a good check, but the false positive rate for us is in the 1:2000 to 1:3000 rejects will be a false positive. So we have a whitelist where we list the HELOs of misconfigured mail servers of companies that we do business with. We had to list a bunch of folks back when we started, but it's trickled down to about 1 per month now. And in 90% of the cases, you can tell from the HELO name that it's a Microsoft Exchange server.
http://tools.ietf.org/html/rfc5321#section-2.3.5
Used to use some DNSBL based rejects at SMTP time, but now we just let that stuff through and have SpamAssassin score it. Then we use server-side sieve scripts to quarantine stuff higher then 8.0-9.0 directly into the server-side Junk folder. (We score and tag at 4.5, but don't quarantine until 8.0 or 9.0.)