Billy Gorbachev’s options:
- OpenBSD. Eliminates need for fail2ban, since pf has this
functionality built in.
- qmail, not Postfix.
- OpenBSD spamd, not Postgrey. spamd hurts spammers more, and hurts
legit senders less. logs are hilarious, e.g. 126.96.36.199:
disconnected after 3995 seconds. lists: spamd-greytrap
- Replace spamassassin with Spamhaus hooks in qmail (tcpserver).
- qmail-pop3d, not Dovecot. Dovecot has a poor security track record.
Download mail over (pop3 over CurveCP), using fetchmail + CurveCP
command-line tools. Store locally in Maildir, backup
- drop ClamAV and Amavisd. Run FreeBSD or OpenBSD on your desktop.
- Add GnuPG to your local mail client.
- Add Spamhaus DROP and eDROP to network edge pf tables
- Add a TXT SPF record for your domain, including your servers,
followed by “-all”
Several of these changes can be made (SPF record, DROP, GnuPG) without
modifying your existing setup.