Dovecot+Postfix, but which Spam / Virus Filter

[hoppel]

Hi,

my working setup
- FreeBSD 11 p6
- iocage / zfs / jails
- jail1 - mysql 8
- jail2 - nginx
- jail3 - mail with postfix and dovecot
- jail4 - dns cache unbound with separate forwards for spamhaus and uribl.com

so far so good.

I installed rspamd from the source. It takes around 90min to compile and it use around 170 packages. Seems to use the half world. I had problems to configure rspamd, one library 'libfreetype' in /usr/share/lib had the wrong rights. There 're a lot of messages in /var/log/rspamd for errors in my dns. So I installed a unbound in a jail.

so far so good.

---
1) rspamd

Is rspamd the best solution for spam, dkim and virus support?

Should I use GD and / or Hyperscan support?


2) unbound

I'm a bit lost with unbound. I found another public DNS server for uribl.com, so I configured a forward-ip rule for uribl.com and it works. But that should not the recommend solution.

What is the right solution for spamhaus and uribl.com?
http://uribl.com/refused.shtml

my unbound config


regards
Steffen

more conf.d/unbound.conf 

server:
  logfile: "/var/unbound/unbound.log"
  verbosity: 1

  port: 53    # port to answer queries from
  do-ip4: yes    # Enable IPv4, "yes" or "no".
  do-ip6: no    # Enable IPv6, "yes" or "no".
  do-udp: yes    # Enable UDP, "yes" or "no".
  do-tcp: yes

  hide-identity: yes
  hide-version: yes
  rrset-roundrobin: yes
  minimal-responses: no
  use-caps-for-id: yes
  cache-min-ttl: 60
  prefetch: yes
  prefetch-key: yes
  num-threads: 1  # 1 is enough for not heavy loaded server
  val-permissive-mode: yes

  # client ips that are allowed to query to this server.
  access-control: 10.1.1.0/24 allow
  access-control: 127.0.0.0/24 allow

  # Enforce privacy of these addresses.
  private-address: 10.1.1.0/24

  root-hints: "/var/unbound/root.hints"

  # You need these to turn on DNSSEC validation
  # auto-trust-anchor-file: "/var/unbound/root.key"
  # it's set in the main unbound.cnf

  module-config: "validator iterator"

  # You need this as no for dnscrypt-proxy to work
  do-not-query-localhost: no

# Yoyo.org anti-ad server listing with script in dns/root/ad_servers.sh
#  include: "/var/unbound/ad_servers"

  forward-zone:
  name: "spamhaus.org"
      forward-addr: some IP Address

  forward-zone:
  name: multi.uribl.com
      forward-addr: some IP Address

 

[obsigna]

I don't understand why you need special settings for the RBL´s for Unbound. These should be handled entirely by Postfix, for example putting the following in main.cf should suffice to activate all realtime blocklists of Spamhaus: reject_rbl_client zen.spamhaus.org -- see: http://www.postfix.org/postconf.5.html#reject_rbl_client. If this doesn´t work, then make sure that Postfix has access to the DNS.

That said, in the past I heavily used Spamhaus for all of the mail servers under my control. After the Snowden revelations, I stopped with Spamhaus and other RBL´s. Note, I do not say that the GHCQ is operating Spamhaus. I only know, if I were the GHCQ, I would want to operate a popular RBL like Spamhaus (located in the UK), in order to obtain informations apprx. 100 ms before the fact about the start- and endpoints of e-mail conversations for over 3 billion mailboxes.

With an 18 year history, vast data traffic visibility and now protecting over 3 Billion mailboxes, Spamhaus is the industry leader in realtime actionable highly accurate threat intelligence

Since then, I utilized mail/greyfix instead, and I am very satisfied.

 

[mss_cyclist]

I used to use dspam. It really worked good. Very short time of learning. Then very few FP's or FN's.
Then I switched to rspamd. The new kid. Until now it works ok. In my opinion it is less accurate then dspam. However I still need to get used to it. Cannot remember why I switched.

Dspam was a little bit harder to install and configure to get running. Rspamd has more configure options which are (at least for me) harder to get used to. So many buttons to tweak...