4

I use the following milters with Postfix:

ClamAV, OpenDKIM, OpenDMARC, Rspamd

This is also the order they are being called via smtpd_milters.

What would be the best order for them regarding performance, resources and spam protection?

basbebe
  • 313
  • 2
  • 16
  • 2
    I would set them up as follows: 1. OpenDKIM 2.OpenDMARC 3. Rspamd 4. ClamAV . The logic being that the most resource intensive operations should only be performed for messages that have been validated by less resource intensive methods. – red_shift Jan 06 '16 at 15:47
  • Why do you need anything but 'rmilter'? Rspamd can do DKIM and DMARC checks, rmilter, in turn, can do DKIM sign and clamav checks so you won't need anything else. – vstakhov Jan 06 '16 at 16:07
  • rmilter isn't being developed anymore and I want to avoid being stuck with the same decisions at some point in the future. Also rmilter doesn't work with ClamAV without running ClamAV as the _rmilter user. And I never got it to properly make DKIM signatures or add headers about these checks to received emails. – basbebe Jan 06 '16 at 16:14
  • @vstakhov don't get me wrong: I would love to use only rmilter. But the prospect of having to make the same decision in the foreseeable future is not good. Also I don't want to use memcached since I already use Redis. And as I said: the lack of an up to date guide and more verbose logging for debugging makes it hard to configure. – basbebe Jan 07 '16 at 13:40

1 Answers1

4

OpenDKIM, OpenDMARC, Rspamd, ClamAV

I assume you have OpenDMARC configured to do SPF itself? You'll want to disable SPF/DKIM/DMARC checking in Rspamd then as well.

  • you need openDKIM before openDMARC so that the DMARC check can be done based on the Auth-Results: header set by openDKIM.
  • You want openDMARC before Rspamd so it can send DMARC reports on all messages, not just on those that made it past Rspamd.
  • You want Clam last to avoid AV scanning messages that another method of content filtering might block first.
cmeid
  • 386
  • 1
  • 3