Some recent suggestions I've encountered:
Rspamd is not a dead project and it can do all the stuff
OpenDKIM+OpenDMARC+OpenARC can do (yes, even ARC signing and DMARC
reporting). I have even added support of OpenDKIM style signing tables [1].
So far, Rspamd supports ed25519 and dual-signing out of the box. It also
supports Hashicorp Vault to store (and rotate!) DKIM secrets [2]. In
terms of DKIM signing there is also support of fast signing (with all
content scan features disabled), so it is highly unlikely that it's
performance can be beaten by any other signing tool in this mode [3].
Rspamd (embedded in a Mailu installation) for low-maintenance operation. That packages includes several mechanisms
to score messages and handle them according to score intervals. This does a relatively good job but isn't really
able to detect persistent spammers using their own IP ranges.
Are you aware of its reputation module? In conjunction with selector
system you can build reputation on wide range of parameters without touching
Lua. Beside its IP reputation i use sender's eSLD, IPnet & ASN
reputation with score limited to not be enough for rejection.
If spammer uses not related IP, ASN and/or senders (snowshoe), you still
can use its bayes and/or fuzzy checks. But basically the reputation
module with RBL scoring does good job and in last year i do not remember
any false negative mail and small amount of false positives, especially
from gmail, these false positives are mostly not due reputation, but due
SPF/DKIM/DMARC ignorance of our eshop systems.
I have small python script, which gets reputation data from rspam's
redis DB and fill dynamic blocklist for exim, to block persistent
spammers at MTA level (RCPT stage).
Anyway, I document what I do in a blog post:
Zimbra AntiSpam Best Practices
The post describes how we rely on several layers of protection (including those provided by Postfix, which I know you are not using), as well as our adjustments to Amavis and SpamAssassin. I hope there are some techniques in the blog post that will be helpful to you.
For Let's Encrypt certificates, I use these awesome scripts, they are written as bash shell scripts and they are infinitely better than the official certbot tool, they can be used without a web server, by using DNS API integration. They are highly recommended:
For the first one, it no longer defaults to LE, it uses zerossl, because its rights are now owned by them. You can re-enable LE as default though by:
acme.sh --set-default-ca --server letsencrypt
I use Bruce Guenter's mailfront for my incoming mail so I had to add SNI support. It wasn't very hard. [when using SNI to differentiate between certificates]
if one abuses any of 25|465|587 they are blocked on all of 25/465/587 with a lengthy filter time
if one abuses any of 110|143|993|995 they are blocked on all of 110/143/993/995 with a slightly shorter filter time