On 8/27/2010 1:43 PM, Stan Hoeppner wrote:
pf at alt-ctrl-del.org put forth on 8/27/2010 1:23 PM:
Is there any known policy server or add-on, that will change the
tempfail action after a couple of hours, for things like
reject_unknown_client_hostname and reject_unknown_client_hostname?
Sending a reject has problems. I don't want to flat out reject, based on
a temp error.
Sending a 450 has problems. Some sender clients may try to resend the
email, once per minute for two or three days before giving up.
So while that message is in limbo on the sending server: The end user
who sent it assumes that there is something wrong on our end. The
recipient who expects it assumes that there is something wrong on our
end. And the admin on the sender side does not find out that the problem
is on their end, until several days later.
I guess it would be an adaptation of greylisting, where.
default unknown client/hostname = DEFER_IF_PERMIT
greyhostclient policy
firstseen timestamp for unknown client/hostname
greyhostclient_delay = 4h
return DEFER_IF_PERMIT during the 4h window.
Then after 4 hours, REJECT is returned instead.
Anything like that out there?
You're barking up the wrong tree. Assuming you have Postfix 2.3 or
later, use
reject_unknown_reverse_client_hostname
_instead of _
reject_unknown_client_hostname
Read the definition of each at:
http://www.postfix.org/postconf.5.html#smtpd_client_restrictions
This will only help for clients with no rDNS; no effect on
clients where the forward hostname lookup fails, nor where the
rDNS lookup fails.
Mr. pf will need to write his own policy server. A greylist
policy is a good place to start.
reject_unknown_client_hostname is far too restrictive in most cases,
Generally true, but outsiders don't dictate local policy.
and will cause all kinds of temp fails.
It would be irresponsible of postfix to lose mail just because
someone's DNS hiccuped. Persistent clients will need to be
added to a local blacklist - that's what the OP wants to automate.
It will, for instance, temp fail
every connection from Hotmail (unless MS fixed their DNS recently).
You'll need to show evidence of that claim. Hotmail passes
reject_unknown_client_hostname here consistently. In fact I
have a check_sender_access map that specifically does
reject_unknown_client_hostname on any @hotmail sender address.
-- Noel Jones
