SMTP Spam reduction restrictions
 

Im in the process of setting up a SMTP server for a few of my domains and obviously trying to reduce the current huge amount of spam im getting through.

As well as running Spam Assassin i've put a lot of restrictions on the actual Postfix SMTP end along with greylisting.
Its had a big effect in reducing the spam getting into the network (and after SA just about 0% gets through untagged) but im a little nervous i may have gone too far and possibly harm normal mail.

As far as i can tell all the restrictions i've added comply with RFC guidelines for what a MX should have but wondering if someone can just confirm that or suggest extras to add ?

Im using Postfix & Postgrey and my config currently reads like:

Are any of the lines in there likely to accidentally exclude a perfectly compliant mail server or alternatively, is there anything else i can add to help reduce spam whilst preserving genuine mails?

Would it help at all altering the order of those tests around?

The rbl lists are a great way to reject a ton of spam. You may also want to look into rejecting all SMTP traffic from dynamic addresses.

In terms of rejecting good email, that is entirely possible. One of the problems with a configuration such as yours is that there is no middle ground for messages that might be ok, you are outright rejecting them. The way I have my spamassassin set is not to reject but to simply label possible spam. All of my potential spam mail gets :SPAM: added to the beginning of the subject, and I have all the clients using my server dumping anything with that subject to a special folder. That way, nothing is turned away. If somebody expects a message, and it doesn't turn up in their inbox, odds are very good it is in the spam folder. The only way I can see around the problem you might encounter is to whitelist every domain that you expect mail from. That will become a huge job. Also, many businesses have several domains, like company.com, company.net, and almostthesamecompany.com.

Peace,
JimBass

Forgot to add SA here just tags and filters into a users "Spam" folder - it doesn't outright delete. My main worry was the SMTP server itself rejecting mail from genuine MXs. With just the SBLs and greylisting i get near 15x the amount of spam through than with the above setup and its still not great for the end user to get 100+ spam tagged mails per day to verify.

Yeah, just tagging :SPAM: is much safer than auto-rejecting. The idea with the spam folder is that the users don't have to sort through it. The only reason they have to go into it is if they don't receive a message they are expecting it. When that happens, there should be some mechanism for the user to whitelist the domain it is sent from. If nothing is auto-rejected, nothing is lost. Realistically, you aren't going to get an unexpected email of any importance.

I've been using spamassassin for 2+ years, and it is good with greater than 99% of its tags. Receiving about 50,000 messages in any given day, I've seen less than 10 mislabeled messages. That is 10 out of probably 40,000,000 messages.

Peace,
JimBass

I've had a similar rate in 5 years+ or so of Spam assassin admittedly in a home/small domains environment, i can think of exactly 2 messages that got misflagged so it does work very well. The problem for me is twofold - tagging spam (which is excellent) or trying to reduce the overall amount of traffic by preventing dodgy clients connecting and getting a message past smtp in the first place.
Still undecided as to the balance to strike between the 2 though. RBL and greylisting seems to work fairly well, unsure just how effective my other settings are as yet though.
Finding out about 50% of all spam was directly attacking my backup MX helped (hence changed from isp managed to my own with greylist/rbl).