mwatkins said:
I used to use grey-listing but found it was causing me more admin headaches. Some surprisingly large organizations run mail servers that don't behave as they should.
I agree, some organizations (most of them small, in my experience) don't use proper SMTP servers.
In the past 7 years, I took care of the corporate email server. I started using greylisting 4 years ago. During this 4 years, I had less than four events related to greylisting per year.
So, I don't need a so-called lightweight solution (DSPAM) and I don't need to tune SpamAssassin every day, or week. Keep in mind that a SPAM sender need _speed_, and greylisting hits the spammers just at this point.
IMO, it's fine to add 4 exceptions per year to a table, instead of upgrading hardware/spam signatures/etc and keeping the server more busy than it is required, because few "systems admins" don't know protocol requirements or forgot about SMTP queues.
I forgot in my previous post to mention fail2ban. It is possible to instruct fail2ban to block IP addresses which insist on sending mail
- 1 - from RBL blocked addresses
- 2 - for non-existing mail accounts
Also, it is possible to add exceptions to 'unconfigurable remote SMTP servers', using postfix's 'smtpd_client_restrictions' combined with a hash table with 'excepted' IP addresses.