[kwlug-disc] So, I took the plunge... Mail In A Box

Mon Feb 19 22:19:59 EST 2018

> On Feb 19, 2018, at 1:18 PM, doug moen <doug at moens.org> wrote:
> One of the things you need for an email server is a high quality IP address that won't be blacklisted by DNS black hole spam filtering. Most of my spam is rejected based on the IP address. So you need to own a static IP address, and establish a high reputation for it. That might be hard if the IP address lives in a bad neighbourhood, eg a residential IP block, or maybe even a cloud VPS block.

I’ve run my own email server since 2001 (used to be qmail, but for the last decade at least it’s been postfix). I do a very light spam filtering, but am religious about keeping my IPs squeaky clean to avoid blacklists.

For almost that entire time I’ve been using colocated server space from Mark Steffen (local guy, hangs out on this list too) and in the most recent incarnation as colocated space with his Indieserve networks company.

The only time I’ve had issues with blacklists has been when I’ve messed something up. As far as “IP neighbourhoods” goes, Mark runs a pretty tight ship. I’m happy to recommend his network for your VPS or colocation needs.

Other things which go a long way to preventing your domain from getting blacklisted involve basic good netizen things:
* have a reverse IP mapping set up correctly and matching your SMTP server banner
* have correct (and tight) SPF DNS entries

As far as how I limit my own exposure to spam in postfix:
Obvious things for smtpd_sender_restrictions:
* tighten up relay_domains and relay_networks
* use basic helo_checks as low-cost rejection
* refuse_unknown_sender_domain

Less obvious things for smtpd_sender_restrictions:
* reject_non_fqdn_sender
* reject_invalid_hostname

and for smtpd_recipient_restrictions:
* basic helo_checks
* basic client_checks
* reject_unauth_destination
* reject_invalid_hostname
* reject_non_fqdn_hostname
* reject_non_fqdn_sender
* reject_non_fqdn_recipient
* reject_unknown_sender_domain
* reject_unknown_recipient_domain
* reject_rbl_client zen.spamhaus.org <http://zen.spamhaus.org/>
* reject_unauth_pipelining

As you can see, I’m only using one RBL. spamhaus is pretty reliable and they don’t have a hair-trigger anaphylactic reaction to an individual spam report from some random internet user like other lists.

The basic helo_checks and sender/client checks just reject mail outright if the server contacting me claims to be mixdown.ca <http://mixdown.ca/> or localhost, or if they claim to be coming from an RFC1918 IP space.

Also recommended, but probably doesn’t do anything for spam is to set up SSL/TLS and tighten up the acceptable ciphers/hashes. I did the same for my web server and that took a LOT of tweaking and testing to get the A+ ratings from the various online checkers. I’d also recommend obfuscating the SMTP software banner so help prevent people from targeting specific attacks against your software, should anything subtle show up before you read about it and fix it.

For email, mxtoolbox.com <http://mxtoolbox.com/> is pretty good. They’ll also do blacklist checks.

-A.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20180219/453a6a22/attachment.htm>