On Thu, Feb 24, 2011 at 12:52:54PM -0500, Wietse Venema wrote:
> Victor Duchovni:
> > If one wants to avoid whitelisting bots that only connect to backup MX
> > hosts, appropriate configuration in the backup MX postscreen. I am not
> > sure how this part of the design works, is that we expect that bot to
> > fail the test via the backup IP, or are we trying to not whitelist
> > clients that never try the primary IP?
>
> Enable whitelisting only on the primary MX address(es).
>
> In other words, always fail the tests for non-whitelisted clients
> on the non-primary IP address(es).
Is this existing postscreen functionality? Or does this part require
a bit of new code... You mentioned zero lines of code, and I have not
run into any feature of postscreen that disables the whitelist cache.
When a single postscreen service does listen on multiple IPs, I assume
new code is required to treat connections to the two IPs differently...
--
Viktor.
