On Wed, Mar 16, 2011 at 11:46:47PM -0500, Noel Jones wrote:
>> if I configure postscreen to use DNSBL, may I remove the lines
>> for DNSBL checking on main.cf <http://main.cf> for postfix? I understand
>> enabling that on both postscreen and postfix is doing the same thing
>> twice... Am I wrong?
>>
>
> DNSBL checks can be removed from postfix main.cf if you do the same checks
> in postscreen. No need to do the same checks twice. RHSBL (domain name)
> checks will still need to be done in main.cf.
I would caution against removing DNSBL lookups in smtpd(8).
- postscreen whitelists hosts for some time, the DNSBL can change
in the mean-time.
- For newly admitted hosts, the main cost of the lookup is bringing
the data into the local DNS cache. A second lookup in smtpd(8)
shortly after the initial lookup in postscreen is very efficient.
Not all the hosts listed in Zen are botnet zombies, some of them are
snow-shoe spam networks, which are likely to have been sending mail for
some time before they are listed.
If however, the postscreen whitelist TTL is not "too long", on the plus
side, one avoids the RBL lookup latency when the RBL is remote, and the
impact on RBL accuracy may be low. So for large sites with local mirrors
of RBL zones, there is no advantage to skipping the lookups, but smaller
sites *may* find that postscreen RBL lookups are enough, but some metrics
may be useful to determine the impact of doing the lookups only on first
contact, and then intermittently.
--
Viktor.
