On Dec 22, 2016, at 11:55 AM, John Wiegley wrote:

- [x] Upgrade Postfix to 2.11

If available as a package for your O/S, might as well use 3.1

- [X] Enable postscreen for pre-queue RBL filtering

This makes it possible to combine multiple lower-weight RBLs, that individually are not sufficient to reject mail, but you should still use the SpamHaus zen RBL in smtpd(8).

- [ ] DKIM sign messages sent from mailman

Fair enough.

- [ ] Implement DMARC policy (i.e., reject incoming messages improperly DKIM signed, or failing SPF check)

DO NOT DO THIS! DMARC is an abomination, abused by Yahoo and others to shift costs onto others. The right thing to do with DMARC is to avoid modifying the message headers (no subject tags) and body (no footers). This way relayed posts pass DKIM checks. [ See e.g. perma-thread playing out on ietf@ietf.org at the moment. ] We can ask list subscribers to add the [Haskell-cafe] tag to the first message in each new thread, so that the list can avoid the need to modify the message in transit (beyond adding List- headers, a Sender- header and setting an appropriate envelope sender).

- [ ] Use SpamAssassin for post-queue filtering - [ ] If helpful, enable deep protocol pre-filtering

Deep protocol tests in "postscreen" have proved difficult to use, too many large providers don't retry messages from a stable IP address, and whitelisting their ever-changing address blocks is challenging. -- Viktor.