[kwlug-disc] So, I took the plunge... Mail In A Box

Tue Feb 20 13:10:55 EST 2018

@bob, I've managed to telnet into Google's servers with my home connection
using a Teksavvy ppoe connection and static IP. I just wish that the miab
script would run on a raspberry pi I'd run it from home instead.

On Mon, Feb 19, 2018, 10:21 PM Andrew Kohlsmith (mailing lists account) <
aklists at mixdown.ca> wrote:

> On Feb 19, 2018, at 1:18 PM, doug moen <doug at moens.org> wrote:
> One of the things you need for an email server is a high quality IP
> address that won't be blacklisted by DNS black hole spam filtering. Most of
> my spam is rejected based on the IP address. So you need to own a static IP
> address, and establish a high reputation for it. That might be hard if the
> IP address lives in a bad neighbourhood, eg a residential IP block, or
> maybe even a cloud VPS block.
>
>
> I’ve run my own email server since 2001 (used to be qmail, but for the
> last decade at least it’s been postfix). I do a very light spam filtering,
> but am religious about keeping my IPs squeaky clean to avoid blacklists.
>
> For almost that entire time I’ve been using colocated server space from
> Mark Steffen (local guy, hangs out on this list too) and in the most recent
> incarnation as colocated space with his Indieserve networks company.
>
> The only time I’ve had issues with blacklists has been when I’ve messed
> something up. As far as “IP neighbourhoods” goes, Mark runs a pretty tight
> ship. I’m happy to recommend his network for your VPS or colocation needs.
>
> Other things which go a long way to preventing your domain from getting
> blacklisted involve basic good netizen things:
> * have a reverse IP mapping set up correctly and matching your SMTP server
> banner
> * have correct (and tight) SPF DNS entries
>
> As far as how I limit my own exposure to spam in postfix:
> Obvious things for smtpd_sender_restrictions:
> * tighten up relay_domains and relay_networks
> * use basic helo_checks as low-cost rejection
> * refuse_unknown_sender_domain
>
> Less obvious things for smtpd_sender_restrictions:
> * reject_non_fqdn_sender
> * reject_invalid_hostname
>
> and for smtpd_recipient_restrictions:
> * basic helo_checks
> * basic client_checks
> * reject_unauth_destination
> * reject_invalid_hostname
> * reject_non_fqdn_hostname
> * reject_non_fqdn_sender
> * reject_non_fqdn_recipient
> * reject_unknown_sender_domain
> * reject_unknown_recipient_domain
> * reject_rbl_client zen.spamhaus.org
> * reject_unauth_pipelining
>
> As you can see, I’m only using one RBL. spamhaus is pretty reliable and
> they don’t have a hair-trigger anaphylactic reaction to an individual
> spam report from some random internet user like other lists.
>
> The basic helo_checks and sender/client checks just reject mail outright
> if the server contacting me claims to be mixdown.ca or localhost, or if
> they claim to be coming from an RFC1918 IP space.
>
> Also recommended, but probably doesn’t do anything for spam is to set up
> SSL/TLS and tighten up the acceptable ciphers/hashes. I did the same for my
> web server and that took a LOT of tweaking and testing to get the A+
> ratings from the various online checkers. I’d also recommend obfuscating
> the SMTP software banner so help prevent people from targeting specific
> attacks against your software, should anything subtle show up before you
> read about it and fix it.
>
> For email, mxtoolbox.com is pretty good. They’ll also do blacklist checks.
>
> -A.
>
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20180220/c77b9719/attachment.htm>