Re: Outbound RBL
- On 2/1/2012 3:43 AM, Gábor Lénárt wrote:
> Of course I only wrote about a "local RBL" which is maintained by ourselvesA local RBL would make some sense; you didn't mention that earlier.
> for this purpose, not a general-purpose public BL.
That's not a whole lot different than maintaining a local blacklist
or firewall rules. Once you identify IPs you don't want sending
mail, there are multiple choices to block them -- a local RBL makes
sharing a blacklist within a farm very easy.
This is relatively lightweight; client connects, postfix does a DNS
lookup, client is rejected. As long as the client isn't making
DoS-level connections this is reasonably efficient. Postscreen
could do this with "before 220 tests", but is likely overkill.
At some point you may want to do something more complex than the
standard "reject_rbl_client ...", such as "this username can't
connect from this range" or "don't ever block this user". You can
do the more complex queries by using a policy service that consults
the RBL and can also consider the IP and username used. This still
allows the client to AUTH and adds that overhead, but is far more
flexible. This could be combined with Fail2Ban or similar built
into your policy service to temporarily firewall IPs that exceed
some level of bad behavior.
-- Noel Jones
- Am 01.02.2012 03:03, schrieb list@...:
> We run a small cluster of postfix servers that are dedicated outboundi wouldnt do it with rbl in this case, i see no sense in it
> relayhosts for our customers. Beyond the outbound postfix cluster we have
> another cluster of mail filtering appliances that have served their purpose
> very well, but we are starting to get more compromised account due to
> phishing attempts and some of the spam is getting through the outbound
> filters due to the volume of new spam messages.
> I am looking for advice on how to limit our exposure to malicious senders
> that have access to a users credentials. One method we have zero
> experience in is using RBLs, which I am hoping to learn more about.
you may use clamav-milter with sanesecurity sigs and simply get hold mails
for human inspection, or use amavis etc
once find a hacked or compromised account, delete it ,or infom the user
etc, or build some reject access list for them ( perhaps you can call
this a local rbl )
outbound spam is a problem ever
MfG Robert Schetterer