On 4/8/20 11:56 AM, Ralph Seichter wrote:
* Auke Kok:
> I was hoping to build some sort of "best-practices" postfix setup that
> is properly guarding with SPF/DKIM enforcing and possibly even
> postgrey or something like it.
My advice: Don't try to be smarter than Wietse Venema, and in particular
don't involve third party software. SPF and DKIM require access to a
working nameserver plus solid knowledge of the mechanics involved. To do
it right, one also needs to implement DNSSEC, which opens yet another
can of worms.
Just stick to what is installed by Postfix's "make install", and maybe
modify inet_interfaces and mynetworks. If a user wants to set up a real
Internet-facing mailserver, other than use an existing relayhost, he'll
have to do serious homework before Google, Microsoft et al will accept
mail from that machine. The Postfix mailing list is routinely filled
with support requests by people who underestimate what it means to run a
full-fledged mail exchanger in this day and age.
Oh, before I forget, Postgrey has become pretty much obsolete when
Wietse added Postscreen to the core software. Postscreen is easier to
configure and requires fewer resources. Don't use Postgrey. Really,
I've been running one since, well, too long (15+ years?), and indeed
postgrey has been a pain - except it was extremely successful in
dropping inbound spam by a significant margin.
I had definitely not heard of postscreen, so, thanks for that pointer -
I will definitely look into that :)