[CentOS] Postfix Questions

Wed Sep 19 01:10:39 UTC 2007
Feizhou <feizhou at graffiti.net>

John Hinton wrote:
> I've been running sendmail since the beginning of my online time.
> 1. Did I see that postfix can run sendmail milters?

Yes but different version with varying levels of milter support.

> 2. If so, did I read that postfix can run these separately for inbound 
> vs. outbound?

Yes you can apply separate rules for incoming and outgoing emails if 
they come from separate ips or ports.

> 3. Can it run like a rbl blacklist on inbound and not outbound?


> 4. If the above is true, does this require separate configurations of 
> postfix or is it already set to allow this out of the box?

You will need to configure postfix appropriately.

> My reasoning... I've added a few milters which has drastically cut spam 
> due to the extra time spent at the smtp level. For instance, running 
> spamassassin takes a couple or few seconds. This bit of delay does in 
> fact seem to stop many of the slamming spambots sort of like the design 
> of milter-greylist. Except, I don't have to send a temp fail. So, this 
> is a good thing. The negative is it also takes longer for my users to 
> send mail as it is processed the same way during outgoing.

I do not know what level of milter support is required by your milters 
so you may want to check them out. The latest versions of postfix will 
have more complete support.

> Also, we run the SpamHaus blacklist. This works pretty good for inbound, 
> but from time to time one of our hosting clients winds up on the 
> blocklist because they are on a dynamic IP and someone else has recently 
> used it for spamming. One could argue that my client should then go 
> remove their IP from the blacklist to better insure their email actually 
> makes it through any other level of spam filtering on other ISPs. But, 
> that's a rosey concept! So, I would prefer to do it at the smtp level 
> inbound so I can actually reject that mail while not having the 
> embarrassing blocking going on with our users. Yes, this might sound 
> like a double standard, but we do not provide connection service so only 
> very rarely (never so far) does any virus actually send spam through our 
> systems from client applications and I do actually monitor email all the 
> time and stop any spamming immediately.

Sure, just make sure they use port 587 and are only allowed to have 
their email relayed after authentication and disable filtering rules for 
port 587.