Roderick A. Anderson:
> I'm implementing greylisting on CentOS 5 systems.
>
> These are spools for the actual mailserver/mailbox systems.
>
> Currently we have:
>
> smtpd_recipient_restrictions =
> reject_unauth_pipelining, cheap
> reject_non_fqdn_sender, cheap
> reject_non_fqdn_recipient, cheap
> reject_unknown_recipient_domain, expensive
> reject_unknown_sender_domain, expensive
> reject_unlisted_recipient, medium
> permit_mynetworks, cheap
> reject_unauth_destination, cheap
> reject_invalid_hostname, cheap
> reject_non_fqdn_hostname, cheap
> reject_rbl_client zombie.dnsbl.sorbs.net, expensive
> reject_rbl_client cbl.abuseat.org, expensive
> permit
Generally, put expensive checks after cheap ones (policy server
lookup is cheap to medium, depending on what it does).
If a policy server can return "ok", then never put it before
reject_unauth_destination, otherwise you could become an open relay.
Wietse
