>>>>> On April 13, 2025 Viktor Dukhovni via Postfix-users >>>>> <postfix-users@postfix.org> wrote:
> On Sun, Apr 13, 2025 at 10:19:29PM -0400, Greg Klanderman via Postfix-users > wrote: >> > This has little to do with hash tables, but as documented in >> > https://www.postfix.org/postconf.5.html#postscreen_access_list the only >> > supported lookup key is the full IP address, table lookups happen prior >> > to any DNS resolution. >> >> And anyway seems like a premature optimization. > No, all of postscreen is an optimisation, and specifically designed to > drop known bad connections *quickly* in a single process, while handling > hundreds to thousands of connections. In order to make sure that new > good connections are still able to get through, it is important that > postscreen(8) not get saturated with too many concurrent bad > connections, therefore, latency is minimised, with any inconclusive > clients that leak through handed off to smtpd(8). If you're willing to wait 6s for the greet wait, and (in parallel) for DNS blocklist results, it seems you could easily also do a reverse DNS lookup in parallel. Which would make the logs much more useful when you need to find where some mail got lost, and allow for more flexible access checking. Regarding the greet wait - is that a very safe check upon which to reject clients? I.e. can I set it and forget it? Or do you see some false positives, and need to add exceptions to the access list? That seems like a case where being able to match the hostname could be very useful. Hmm, re-reading POSTSCREEN_README, I guess postscreen is only temporarily caching *passing* results. I'm surprised it wouldn't make sense to cache failures, presumably for a much shorter time than the 7d retention for passing. In POSTSCREEN_README, under 'When tests fail before the 220 SMTP server greeting', under the action 'enforce', it says 'log the helo/sender/recipient information'. Presumably this only applies if using any post- server greeting tests? Any guidance on 'enforce' vs 'drop' for the pre- server greeting tests? (I don't expect to use the post- greeting tests..) many thanks, Greg _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
