Friends, What would be valuable (or at least interesting) to me is to treat the RDNS lookup (peer address->name and subsequent name->address) as a part of smtpd_client_restrictions, or in some way delay it until that time. Currently, it seems that both of the above lookups take place before any smtpd_client_restrictions processing even begins, which means that two DNS queries are made [I won't say that postfix makes them since that seems to provoke some ire, but it does cause them to be made on its behalf via a call to gethostbyaddr()], which in some cases could be avoided, thus saving reducing traffic. For example, I eliminate >85% of my incoming email at "RCPT TO" time via a local access(5) map for valid/invalid recipients (smtpd_recipient_restrictions's check_recipient_access), which generates no external traffic; since I use "smtpd_delay_reject = yes", I defer RBL lookups (which also consume network resources since I don't locally mirror any RBLs) until after receipt of the "RCPT TO" and subsequent recipient-check; but I am not able to defer the peername lookup without turning off smtpd_peername_lookup entirely, which I assume disables the use of, e.g., reject_unknown_client_hostname (whether or not this is true is ambiguous at best in the postconf(5) documentation for my version, 2.5.5, which might be an example of what Steve refers to as incomplete documentation).
I suspect that eliminating 3 or 4 DNS query packets and the same number of DNS result packets outweighs the additional traffic of receiving HELO, MAIL FROM: and RCPT TO: (and resultant TCP ACKs), and it definitely would save on traffic for me since I will delay-reject in any case, to reduce the number of queries to the RBL. If the peername lookup could be specified (in order) as a part of smtpd_client_restrictions (smtpd_helo_restrictions, smtpd_recipient_restrictions, etc. when smtpd_delay_reject is turned on), it would allow me to check my local invalid-recipient map and reject the majority of incoming connections without two external PTR lookups while preserving the ability to check the peername validity for incoming connection with a valid recipient. Of course, the reverse-resolved peername is sometimes needed as part of client restrictions, so another strategy is "lazy resolution", delaying resolution until needed, i.e. during/after client restrictions processing. If I understand Steve's problem correctly, wouldn't this furthermore solve it, since he could specify permit_mynetworks prior to reject_unknown_client_hostname (or perhaps a new "pseudo-restriction" to specify lookup without rejection like "lookup_client_hostname") in smtpd_client_restrictions? Of course, I haven't gone through the code with a fine-toothed comb, so there may perhaps be something taking place between the peername lookup (looks to me to be very early on, in smtpd_peer_init(), called from smtpd_state_init()) and the later checks (e.g. client-check in smtpd_check_client(), called from smtpd_proto()) that might require the reverse-resolved peername, but (1) it currently may not be available if smtpd_peername_lookup is turned off, and (2) if needed, the "lazy-resolve" method would retrieve it "just in time." Cheers, David