Interesting. I’m containerizing my setup, so I suppose I could have a firewall container running something like pfsense ahead of my container that has the Virtualmin server. I wonder how difficult that’d be to arrange in Proxmox?
I set that up in hopes of keeping CPU usage down, since SA is much more demanding, but maybe that’s the wrong tact. It sounds like there’s a strong movement towards using postscreen , but it also sounds to me like this would make port 25 useless for users trying to authenticate through SASL to send messages? I know most probably use a different port now, but trying to think of the implications of that.
Yes, they seem to be still supported and working well. DCC seems to be flagging at least some messages SA otherwise is thinking are in the clear, so it is helping! I’ve used them to great effect in the past on my cPanel/exim/ASSP/ASSP Deluxe spam setup, which while not perfect, is probably the best spam filtering setup I’ve ever had. (I wrote the author of ASSP Deluxe and asked if he’d considered porting it to Virtualmin. Alas… )
I really appreciate your well thought out list there. It is hard to figure out what works and it’s nice to see a complete set like that!
Not at all if you SASL submission through 587, If you set up postscreen as per posfix instructions, your authenticated SASL users will bypass postscreen.
smtp inet n - y - 1 postscreen
smtpd pass - - y - - smtpd
dnsblog unix - - y - 0 dnsblog
tlsproxy unix - - y - 0 tlsproxy
You can also find related tutorials on how to do this step by step.
We use postscreen to block dnsbl and bots. Spamassassin does the rest. But, in order to make all this happen you need to setup an recursive dns. If your not using DNS feature on your server? You can use bind for recursive. You can even create another vps for recursive only.
Postscreen policies can be setup gradually from light to strict.
I’m not fully understanding your post? As in who’s mta?
You can easily setup whitelist as well in Postscreen that will bypass and go straight to Postfix.
There’s a lot more you can do, I only came here since the OP is looking for some Tips…
Anyone have problems with what I post? I’ll be more than fine to excuse myself from this conversation…
Thank you so much @cyberndt. If you do greylisting, do you use postgrey alongside postscreen or do you configure postscreen to handle that too? It sounds like one could go either way.
Might I see your custom fail2ban rule? That sounds like a great idea…
No problem, as referenced from my above post about postscreen settings.
We create a filter called postscreen-filter.conf
We only ban on 2,3, and 4. Postscreen will send an email to those who rank 1 with service unavalable and let them know what list they are on.
Postscreen will automatically do postgrey, I believe you can turn that off. Since we use whitelist and allow those with postscreen_dnsbl_allowlist_threshold = 0 bypass screening and let spamassassin do the rest.
But, just this simple setup alone blocks over 90% maybe even more on our email servers.
Thank you. That looks great. Curiously, though, I do not have /var/log/mail.log. Do you know of anywhere else Virtualmin might have configured Postfix to put its log? I’m accustomed to Exim, so I’ve been looking for the equivalent log for days and have seen references to mail.log, but haven’t located it on the system.
Oh, Debian 12 just routes all of the logs for Postfix and Postscreen to journalctl/systemd logging. I haven’t figured out where that leaves standard mail logs, since I mostly see things like daemon restarts, but if anyone else wants to add a fail2ban entry for Postscreen, it’s identifier in journalctl is “postfix/postscreen.”
Virtualmin has nothing to do with it. You picked an OS and we respect that choice as far as possible. We don’t change where services log to (well, except for each VirtualHost getting its own access and error log, for obvious reasons).
)