policyd-weight - Policy Daemon for the Postfix MTA
policyd-weight is a Perl policy daemon for the Postfix MTA (2.1 and later)
intended to eliminate forged envelope senders and HELOs (i.e. in bogus mails).
It allows you to score DNSBLs (RBL/RHSBL), HELO, MAIL FROM and client IP
addresses before any queuing is done. It allows you to REJECT messages which
have a score higher than allowed, providing improved blocking of spam and
virus mails. policyd-weight caches the most frequent client/sender
combinations (SPAM as well as HAM) to reduce the number of DNS queries.
After the first three SMTP commands (HELO, MAIL FROM: and RCPT TO:) the
client's IP address, corresponding DNS records (A, MX and PTR) and multiple
DNSBLs can be checked, verified and scored. If the client tries to forge
headers or supplies non-existent DNS or bogus data the spam score will
increase, even more so if the client is listed in one or more DNSBLs. Such
mails can be rejected while in transfer, before the mail body is received by
your MTA. This is different from SpamAssassin or amavisd-new: for scoring or
filtering with these programs, mail needs to be accepted and queued, bandwidth
is used, CPU-time is wasted and mail cannot be rejected without creating a
bounce. Please have a look at the graphical working scheme.
Postfix' built-in checks can be too tough for poorly configured clients: one
hit, and the mail gets rejected. policyd-weight is designed to be fair (DynDNS
MX users get through if their MTA is setup properly, even if their ISP net is
DUL-listed), because its decision whether to reject or accept a mail is based
on multiple factors.
Of course you should still have SpamAssassin and Clamav running (especially
if you are responsible for a company's security and data). But these programs
will have a lot less to do and thus decrease the need for bandwidth and CPU
cycles. Also you might not need greylisting (which would make sense for users
that receive a lot of new spam, though), SPF, extraordinary whitelists or SQL
and other DBs anymore.