Shh! Don't tell the spammers, but… Other than DMARC, the only anti-spam technique I employ is greylisting. The last time I received a spam message, it was due to my failure to verify DMARC on incoming mail. See, this is why the big providers are making a big deal about DMARC. I wrote briefly about both in BÚÉK! and Spam. Here, I expand upon greylisting.
Configuring Postgrey
Postgrey was written by David Schweikert. It's a policy server for
Postfix, the same MTA that handles mail for the baz.bar domain. It
works by checking if mail has previously been seen for the given
client IP, sender, and recipient. If it was seen more than five
minutes ago, the mail passes; otherwise, it is rejected with a
temporary error. Would you believe that spammers don't comply with
standards requiring mail be retried when a temporary error is
encountered? Setting up postgrey was quite simple. It involved two
steps on my host running Debian.
First, in /etc/postfix/main.cf, set smtpd_recipient_restrictions
to check with the greylist policy daemon.
smtpd_recipient_restrictions =
...
check_policy_service unix:private/postgrey
Second, I also had to change options in /etc/default/postgrey to fit
with Debian's default chroot environment for Postfix.
POSTGREY_OPTS="-u /var/spool/postfix/private/postgrey"I have not seen recent discussion about greylisting, but several years ago, the common complaint centered around greylisting destroying the "immediacy" of email. In case you missed it, email was never immediate. Email was created more than 50 years ago, just two years after the first computer network was created in 1969. Connections in early networks were neither perpetual nor reliable.
Now, to be fair, I don't get a ton of email to my domain anyway; I am
the only user. And I have no expectation of immediacy when it comes to
email. In fact, I often disabuse others of this notion when they
interact with me, to set proper expectations. This works for me. Since
running email on the baz.bar domain, I've only received a couple of
spam messages that passed the greylist policy, and they all came from
the same spoofed source.
Configuring DMARC
Other than greylisting, I verify DMARC. These are my only anti-spam mechanisms. Setting up OpenDMARC for inbound mail was sufficient to knock out that pesky spammer earlier in the year. It was another two-step process.
First, edit smtpd_milters in /etc/postfix/main.cf.
smtpd_milters =
...
unix:/run/opendmarc/opendmarc.sock
Second, since I am running Debian, change the socket to in
/etc/opendmarc.conf, because Postfix is chroot'd.
Socket local:/var/spool/postfix/run/opendmarc/opendmarc.sock
Note that, at first blush, it seems you can instead update
/etc/default/opendmarc, but its settings don't get read, thanks to
the a systemd unit that doesn't read it.
Tracking Effectiveness
Unfortunately, I only have the experience of receiving a couple of spam messages to inform me of how well greylisting actually works. As it would turn out, there's Mailgraph, a tool that graphs Postfix message processing statistics, which was also written by Schweikert. I'll be paying some attention to that periodically. But honestly, I'm more worried about getting my outbound mail delivered than the prospect of spam sneaking past the greylist. But that is a write-up for another day.