Making Rspamd's Blocklists Actually Work: A Private Unbound Resolver + Spamhaus DQS

Here’s a failure mode that hides in plain sight: if your spam filter resolves DNS through a public resolver like Google or Cloudflare, most DNS blocklists silently refuse to answer it. Spamhaus, URIBL, SURBL and friends all do this. Your filter keeps running, adds a few headers, and quietly lets listed senders through — because the lookups that should have flagged them never returned a useful answer.

The fix has three parts: run your own recursive resolver, subscribe to Spamhaus’s free Data Query Service (DQS), and set a reject policy that’s aggressive on definitive signals without inviting false positives. This post is the complete, reproducible setup. My stack is Postfix + Dovecot + Rspamd + ClamAV on MicroShift, managed with Flux; domains, keys and IPs are anonymized, but everything else is exact.

[Read More]

Hardening a Self-Hosted Mail Server: fail2ban, Postfix, and Dovecot

My home server runs a full mail stack — Postfix, Dovecot, Rspamd, ClamAV — on MicroShift. It’s exposed directly to the internet on ports 25 and 587. That means it gets attacked. Here’s how I protect it, what the attacks look like in the logs, and how I recently tightened the configuration after spotting a gap.

The Threat Landscape

Two distinct attack types show up regularly in the logs:

1. SASL Brute-Force — Attackers try username/password combinations via SMTP AUTH or IMAP. The pattern: multiple IPs, each trying a different username, typically in parallel waves.

[Read More]