/dev/rob0:
> Jun 5 01:50:46 cardinal postfix/postscreen[15628]: CONNECT from
> [174.37.3.121]:33695 to [216.23.247.74]:25
> Jun 5 01:50:52 cardinal postfix/postscreen[15628]: PASS OLD
> [174.37.3.121]:33695
> Jun 5 01:50:52 cardinal postfix/smtpd[15816]: connect from
> 174.37.3.121-static.reverse.softlayer.com[174.37.3.121]
Host connects 01:50:46, postscreen logs "PASS OLD" at 01:50:52 and
hands off the connection to smtpd. The six-second pause suggests
that postscreen_greet_ttl (1d) expired (according to "postconf -n"
your postscreen_mumble_ttl settings haven't changed).
> Jun 5 01:50:53 cardinal postfix/postscreen[15628]: CONNECT from
> [174.37.3.121]:52927 to [216.23.247.78]:25
> Jun 5 01:50:53 cardinal postfix/postscreen[15628]: WHITELIST VETO
> [174.37.3.121]:52927
> It was whitelisted 7 seconds ago. Could that have expired?
What 7 seconds? the "PASS OLD" action was logged 01:50:52. The
new connection is made 01:50:53.
Each postscreen test has its own TTL. Different tests have different
costs (for sender and receiver), and therefore different tests
expire at different times.
You have the following time-dependent tests enabled:
postscreen_bare_newline_action = enforce
postscreen_dnsbl_action = enforce
postscreen_greet_action = enforce
Their expiration times are:
postscreen_bare_newline_ttl = 30d
postscreen_dnsbl_ttl = 1h
postscreen_greet_ttl = 1d
Clearly, they don't expire at the same time.
The Postfix verify(8) daemon avoids client-visible delays by sending
a new probe before a result expires (it has separate _refresh and
_expire timing parameters).
That trick does not work with postscreen. postscreen does not have
separate _refresh and _expire settings because many postscreen
tests are client-visible. For example, postscreen_greet is visible
(6 seconds delay), postscreen_dnsbl almost invisible (less than 1
second, usually) and postscreen_bare_newline means the client gets
4XX replies if it passes the test. So, in the majority of tests it
is not possible to refresh a test without client-visible delays.
When a test has expired, postscreen could refresh all unexpired
tests that will expire soon. For example, all tests that will expire
within one TTL of the expired test, or all tests that will expire
within one hour. This will not necessarily reduce the amount of
client-visible delays, but it will reduce the WHITELIST VETO logs.
Wietse
