With policyd-weight you are able to reject mails before the body is received by your MTA, here postfix. No bounce mails, less wasted bandwidth and cpu time. policyd-weight scores characteristics of the mail positive or negative, is a defined value reached, it got rejected. The scores are currently:
- DNSBLs/RHSBLs
- HELO argument
- MAIL FROM: argument
- Client IP address
- DNS client/HELO/FROM entries (A/16 A/24 A/32), PTR/FQDN and Parent Domains (MX/16 MX/24 MX/32) for their correctness respectively whether they match.
It's available in etch and bpo, installation is really easy:
# aptitude install [-t sarge-backports] policyd-weight
Remove unnecessary reject_rbl_client and reject_rhsbl_client checks from main.cf and insert the check_policy_service:
smtpd_recipient_restrictions = permit_mynetworks, ... reject_unauth_destination, check_policy_service inet:127.0.0.1:12525 ...
You can create a /etc/policyd-weight.conf if you would like to adjusting scores or other policyd-weight parameters. You can get the defaults with policyd-weight defaults. For more informations have a look at /usr/share/doc/policyd-weight/documentation.txt.gz or http://policyd-weight.org.
A normal day on a backup MX with ~500 domain:
backup:~# zgrep -e "postfix.*: connect from" \
/var/log/mail.info.0 | wc -l
29936
backup:~# zgrep -e "policyd-weight.*decided action=5" \
/var/log/mail.info.0 | wc -l
22738
backup:~# zgrep -e "postfix.*status=sent" \
/var/log/mail.info.0 | wc -l
5570