However, some configurations may lead to issues with some mail providers. Specifically I've had issues with Google GMail and Microsoft Hotmail with blocklists and deep protocol tests respectively.
Microsoft Hotmail / Outlook / live
Initially postscreen was configured to use the following blocklists:- zen.spamhaus.org
- bl.spameatingmonkey.net
- dnsbl.habl.org
- bl.spamcop.net
- dnsbl.sorbs.net
Google GMail
GMail use a large number of IPv4 and IPv6 addresses. That combined with the behavior of deep protocol tests:"When any "deep protocol tests" are configured, postscreen(8) cannot hand off the "live" connection to a Postfix SMTP server process in the middle of the session. Instead, postscreen(8) defers mail delivery attempts with a 4XX status, logs the helo/sender/recipient information, and waits for the client to disconnect. The next time the client connects it will be allowed to talk to a Postfix SMTP server process to deliver its mail. postscreen(8) mitigates the impact of this limitation by giving deep protocol tests a long expiration time."
- The above quote from http://www.postfix.org/POSTSCREEN_README.html#victory
As GMail does not resend from the same IP-address after the 4xx, this generates a lot of "reject noise" in the mail log (not least for IPv6). Instead of disabling deep protocol tests, instead just configure postscreen_dnsbl_whitelist_threshold with a negative value.
Given the above the postscreen section of /etc/postfix/main.cf now looks like this:
## Postcreen settingsrun - postfix reload - to activate any changes.
#
postscreen_access_list =
permit_mynetworks
cidr:/etc/postfix/postscreen_spf_whitelist.cidr
postscreen_blacklist_action = enforce
# Use selected DNSBLs
postscreen_dnsbl_sites =
zen.spamhaus.org*3
bl.spameatingmonkey.net*2
dnsbl.habl.org
bl.spamcop.net
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_action = enforce
# Whitelist everything below threshold on BLs
postscreen_dnsbl_whitelist_threshold = -1
postscreen_greet_banner = Welcome, please wait...
postscreen_greet_action = enforce
# Deep protocol tests
postscreen_pipelining_enable = yes
postscreen_pipelining_action = enforce
postscreen_non_smtp_command_enable = yes
postscreen_non_smtp_command_action = enforce
postscreen_bare_newline_enable = yes
postscreen_bare_newline_action = enforce
Before going full reject, read the howto from postfix http://www.postfix.org/POSTSCREEN_README.html and start with ignore instead of enforce, which is useful for testing and collecting statistics without blocking mail from the get go.