SPF and DKIM checks

docs/tricks.md

@@ -0,0 +1,42 @@
+# tricks
+
+<!-- vim-markdown-toc GitLab -->
+
+* [Logs](#logs)
+  * [get most active hosts](#get-most-active-hosts)
+
+<!-- vim-markdown-toc -->
+
+## Logs
+
+### get most active hosts
+
+Even if you use postmoogle as an internal mail server and contact "outside internet" quite rarely,
+you will see lots of connections to your SMTP servers from random hosts over internet that do... nothing?
+They don't send any valid emails or do something meaningful, thus you can safely assume they are spammers.
+
+To get top X (in example: top 10) hosts with biggest count of attempts to connect to your postmoogle instance, follow the steps:
+
+1. enable debug log: `export POSTMOOGLE_LOGLEVEL=debug`
+2. restart postmoogle and wait some time to get stats
+3. run the following bash one-liner to show top 10 hosts by connections count:
+
+```bash
+journalctl -o cat -u postmoogle | grep "smtp.DEBUG accepted connection from " | grep -oE "[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}" | sort | uniq -ci | sort -rn | head -n 10
+    253 111.111.111.111
+    183 222.222.222.222
+     39 333.333.333.333
+     38 444.444.444.444
+     18 555.555.555.555
+     16 666.666.666.666
+      8 777.777.777.777
+      5 888.888.888.888
+      5 999.999.999.999
+      4 010.010.010.010
+```
+
+of course, IP addresses above are crafted just to visualize their place in that top, according to the number of connections done.
+In reality, you will see real IP addresses here. Usually, only hosts with hundreds or thousands of connections for the last 7 days worth checking.
+
+What's next?
+Do **not** ban them right away. Check WHOIS info for each host and only after that decide if you really want to ban that host or not.