>> One of the design issues is what to do if the whitelist query tempfails? >> if postfix tempfails, then you defer all mail (or a large part). if you >> pass, then you get "non deterministic" behaviour. > > When a DNS blacklist lookup fails, the worst that can happen is unwanted > mail is accepted. Since you accept unwanted mail anyway, this isn't a > real big problem. So with a blacklist failures it's acceptable to "log > warning and continue". > > When a DNS whitelist fails, the worst that can happen is that mail that > should be specifically whitelisted is rejected. This is bad. > > I suppose the "failed DNS whitelist lookup" problem could be mostly > avoided if the DEFER_IF_REJECT flag was raised on lookup failure. That > would allow known good mail to pass, and rejected mail would get a > safety net. IIRC last time we discussed this, DEFER_IF_REJECT wasn't > invented yet (at least not in it's current form).
I understand what you say: you don't want to be dropping mail that's actually supposed to be whitelisted. However the DEFER_IF_REJECT flag makes _all_ mail that would normally be rejected (quite much) be deferred, which imho is quite a sacrifice to make. (if I understand correctly) I don't feel that my specific use case warrants such an approach; the whitelist that I would like to use contains IP addresses of MTA's from the biggest ISP's in The Netherlands. They normally don't get blacklisted at all, the whitelist is there only to protect regular email traffic from some accidental blacklisting. In the rare case that it happens, these guys are very quick in having themselves unlisted again, so in that respect the whitelist is only useful now and then, and even then just for a relatively short period of time. In this case I would say that if the whitelist were to be unavailable at some time, logging a warning and continue is the best thing to do. This way the usual rejecting of mail isn't disrupted and most of the time the blacklists don't contain those IP addresses anyway, so if the whitelist is unavailable for just a short period of time, normally no mail would get unjustly blocked. Please note that at this time most postfix users don't use the whitelist at all, and that would be quite a lot of Dutch ISP's, so the described implementation would be a big step forward anyway -- it doesn't even need to be foolproof in order to be useful. Other users' use cases may vary of course, making this configurable would enable everyone to choose the right behaviour for their specific environment.
