Victor Duchovni:
> On Thu, Feb 24, 2011 at 12:52:54PM -0500, Wietse Venema wrote:
>
> > Victor Duchovni:
> > > If one wants to avoid whitelisting bots that only connect to backup MX
> > > hosts, appropriate configuration in the backup MX postscreen. I am not
> > > sure how this part of the design works, is that we expect that bot to
> > > fail the test via the backup IP, or are we trying to not whitelist
> > > clients that never try the primary IP?
> >
> > Enable whitelisting only on the primary MX address(es).
> >
> > In other words, always fail the tests for non-whitelisted clients
> > on the non-primary IP address(es).
>
> Is this existing postscreen functionality? Or does this part require
> a bit of new code... You mentioned zero lines of code, and I have not
> run into any feature of postscreen that disables the whitelist cache.
>
> When a single postscreen service does listen on multiple IPs, I assume
> new code is required to treat connections to the two IPs differently...
The zero lines solution refers to the subject of this thread.
In addition, one can also introduce new mechanisms into postscreen.
For example, disabling dynamic whitelisting for connections to
backup MX addresses. That does require new code, but it requires
very little (call getsockname(), run the local endpoint address
against a matchlist, set a flag to force whitelist failure).
Wietse
