On Mon, Mar 15, 2010 at 03:29:46PM -0500, Noel Jones wrote:
> I suppose the "failed DNS whitelist lookup" problem could be mostly avoided
> if the DEFER_IF_REJECT flag was raised on lookup failure. That would allow
> known good mail to pass, and rejected mail would get a safety net. IIRC
> last time we discussed this, DEFER_IF_REJECT wasn't invented yet (at least
> not in it's current form).
With name-based white-lists (check_client_access with names rather
than addresses as keys) "defer_if_reject" is not a good option for all
anonymous clients.
With explicit DNSWL lookups, indeed "defer_if_reject" is acceptable, since
the DWL is operated locally or by a competent provider and persistent temp
failure of lookups is less likely. So it seems to me that this has cleaner
semantics than "check_client_access" with name-based "OK" results, provided
the DWL lookup-key is an address, not a domain name!
--
Viktor.
P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment. If you are interested, please drop me a note.
