When postgrey
https://postgrey.schweikert.ch/ started out in 2004, it probably happened with all good intentions: Legit mail comes from legit Postfix (or Sendmail, Exim, Exchange, ...) instances, retrying mail delivery upon encountering a 450 tempfail error, while most bad mail originated from scriptkiddies' tools with mediocre knowledge of the inner workings of SMTP and the Internet itself.
Postgrey has its ups and downs, and back in the days with only a fraction of today's mail volume, it really helped to stop many spam messages right in their tracks.
Fast forward to the 2020s. Spambot authors have become more sophisticated. They use hacked accounts at GMail and Microsoft's derivatives of Hotmail, whitelisted by many on domain level. They create spam using real other people's real signatures. They go as far as using your own company's signatures, sucked off a hacked correspondent's mailbox, to pretend they are a workmate of yours. They still use zombie boxes to send mail. Not just the ones in badly administered offices or backlots. While that's for n00bs, pros prefer neglected VPSs or dedicated servers with direct public IPs and valid Reverse DNS entries, running a real MTA. So what does a real Mail Transfer Agent like Postfix or Exchange do when it sees a 450? It will retry.
Postgrey won't stop that kind of spam no more.
So here we are, and Postgrey causes more trouble than it cures:
- Postgrey delays legit mail. Delays are frustrating in a realtime world, expecting you to confirm one-time confirmation codes immediately—there goes your Skype registration. Increasing use of cloud-based load balancers (
fortune500company.protection.outlook.com
anyone?) defeats Postgrey's IP tuple machanism ("Lookup by subnet"—well, not quite anymore). - Postgrey destroys legit mail. Vacation responses and authcode/verification messages, such as used by banks such as Deutsche Bank and other organizations with elevated security needs, are single shot e-mails. They won't be re-sent upon encountering 450. Sieve autoresponder messages do the same to counter bounce loops, there goes your vacation notice. Banks do so to counter potential fraud.
- Postgrey has become just another pain on the sending and receiving end, due to the above.
Use rspamd
https://rspamd.com/ instead: A lightning fast spam classifier, started many years ago at rambler.ru, evolved, open-sourced, matured, and still actively maintained (unlike the rather abandoned Perl hellhole d/b/a spamassassin
).
Let everything through and filter out the most obvious junk (above a certain threshold) on a global level via sieve, redirecting it to a dedicated spamhole mailbox. Or just delete it.
While the dedicated junk mailbox approach does mean a little more tender loving care in itself (and so on a daily or weekly schedule, your milage may vary), I believe it is the way to go.