Hello David
David Restall - System Administrator wrote:
> from sendmail to exim + clamav + spamassassin + DNSBL + sender/callout.
First, what is the sender/callout used for? If you use it for verification of sender addresses on servers other than the ones controlled by you, it's by many considered some form of abuse as well. Have a read at
http://www.backscatterer.org/.
The calmav, spamassassin and DNSBL are only for getting rid of some spam to your users but not primary what your server sends out.
First of all, my general rule I suggest you implement are:
1. Accept submissions with sender addresses out of your domains only after SMTP authentication (outbound)
2. All the rest must go to known addresses within your domains (inbound)
This should make sure that only *your* users are able to send mail to the internet at large (authentication) through the server (no abuse by others) and inbound mail from anywhere only to your users, that is the point where the sa, dnsbl, et all kicks in as well.
In short: A mail you accept for processing is either through an authenticated connection or has its final destination in one of the domains you host.
Then you should only have mail sent to BT originating by your users. If BT still complains, it could be that one of your users is sending SPAM, which you can stop by disabling their account so SMTP auth will fail.
DKIM and SPF all have their own limitations and are no cure to the general SPAM problem, you should know all the limitations of these techniques before implementing them. Generally speaking, they *might* work for your, if all your users send mail through your server to the internet, and only through your servers. But if forwarding of mail accounts is used, this might get you into trouble already.
Oliver