----- Original Message ----- >From: Wietse Venema >To: Postfix users <postfix-users@postfix.org> >Sent: Tuesday, July 5, 2011 5:38 PM >Subject: Re: unverified_recipient_tempfail_action = permit > >>Reindl Harald: >> Am 05.07.2011 16:55, schrieb Wietse Venema: >> > If no such problem exists, then we know that cache expiration >> > has nothing to do with the issue and we can move on. >> > >> > When the address verify cache works properly, it should become >> > populated over time (by spammers, by legitimate sites that have >> > very short SMTP timeouts, or by legitimate sites that try to deliver >> > to the backup after the primary replies with a 4xx response). >> > >> > There is no need to turn Postfix into a backscatter source by >> > accepting all mail when the primary is down. Just set the cache >> > expiration time to 100 days or so. Meanwhile I'll see if it is safe >> > to purge a recipient from the cache when the primary says that it > >> no longer exists. Maybe Postfix needs to wait for two negative >> > responses. >> >> sorry - but how should this work? >> >> suggesting the primary is 99.9% of the time up there comes >> nothing to the backup-mx and if it comes there it is too late > >According to my postscreen stats, some 14% of spambots connects >only to my secondary MX address (I have one postscreen process >listen on both primary and secondary IP addresses for testing). > >For examples of legitimate backup MX connections while the primary >is up, see the second paragraph in the quoted text above. That is >not the complete list of examples that I can come up with. When >primary and backup are in physically different networks, there can >be outages or congestion that make only the primary MX unreachable. > > Wietse
I will run the tests and get the output for you later tonight but my suspicion is that there was likely nothing wrong with the address cache, just that a lot of addresses had never been probed by the secondary mx as the primary mx is up virtually 99.9% of the time. We have some domains that are very unlikely to be known by spammers (they are in the .aero tld) and, due to a lot of European staff and the policy of first_letter_of_first_name.lastn...@domain.aero, most email addresses are not easily guessable by a spammer performing a dictionary attack. In any case, surely it would be more elegant/nicer to give the sysadmin a choice of failure mode for when the primary temporarily stops responding to verification probes. After all, there is nothing stopping (AFAIK) a user from configuring postifx such that it is forced to accept everyth...@domain.com (i.e. disabling address verification all together). If you are worried about backscatter, that is already a potential problem anyway.
