On 2024-01-10 at 10:12:26 UTC-0500 (Wed, 10 Jan 2024 17:12:26 +0200)
Nikolaos Milas via Postfix-users <nmi...@noa.gr>
is rumored to have said:
[...]
and this causes legitimate mail to be discarded (actual mail addresses
modified above).
My question in this case: If I understand right, it seems that
postscreen allows the client connection even though it is listed
because it uses a cache which serves as a useful buffer; however the
client is subsequently blocked by reject_rbl_client restrictions.
So, it seems I should I entirely remove the reject_rbl_client filters
(from smtpd_recipient_restrictions) as they are already listed with
postscreen.
No, that's the wrong lesson.
You should be more selective about your long lists of DNSBLs. They are
not all the same thing, and so are not all suitable for use at
postscreen time. It seems like you are ignoring the fact that the
underlying cause of this rejection is your decision to trust the Spamcop
'bl' list as an absolute blocker, which for most people who value their
email is not a good idea. If you want to consistently receive mail from
the giant mailbox providers, you need to use more nuanced mechanisms.
It appears to me that using rbl services both with postscreen and
smtpd_recipient_restrictions is actually pointless and causes double
lookups which in the end make things worse. Postscreen is sufficient
and better in filtering with rbl services. Am I right?
Not sufficient and not better. Different.
Postscreen is intended and designed to catch "bots": automated senders
of nothing but garbage. It exists to spare systems from running full
smtpd processes for what are ultimately no-op sessions. Unless you
enable its extended checks, postscreen is very lightweight and fast.
That's partly because it has no time-consuming exemption mechanisms
(only fast ones.)
Using reject_rbl_client with DNSBLs which occasionally list IPs which
send a mix of spam and ham can be made feasible by putting the
reject_rbl_client restriction late in the restriction list and having
exemption mechanisms ahead of it. For example, I use reject_rbl_client
extensively, but with check_*_access maps ahead of those directives. If
you like everything about the Spamcop DNSBL except for it listing
Microsoft outbounds, you could have a check_client_access directive with
a map that permits *.outbound.protection.outlook.com clients before any
DNSBL checks (in the same restriction list.)
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
