On Tue, Aug 09, 2011 at 03:54:55PM -0500, Noel Jones wrote: > On 8/9/2011 2:41 PM, Wietse Venema wrote: > [snip discussion of minimizing deep protocol test delays] > > > What do you think about an option to skip the "after 220" > tests based on dnswl results? > > If an IP is listed on a dnswl, it's quite likely a real mail > server and would pass all the disruptive tests eventually.
I've seen one particular ESP which is on DNSWL failing after-220 tests. Funny thing, it looks like they fixed it today. Aug 7 05:22:27 harrier postfix/postscreen[8311]: CONNECT from [207.45.161.31]:52622 to [207.223.116.211]:25 Aug 7 05:22:27 harrier postfix/dnsblog[8313]: addr 207.45.161.31 listed by domain list.dnswl.org as 127.0.15.0 Aug 7 05:22:28 harrier postfix/postscreen[8311]: PREGREET 26 after 1.1 from [207.45.161.31]:52622: HELO mailer2.ixsmail.com\r\n Aug 7 05:22:28 harrier postfix/postscreen[8311]: NOQUEUE: reject: RCPT from [207.45.161.31]:52622: 550 5.5.1 Protocol error; from=<[email protected]>, to=<rcpt@harvested>, proto=SMTP, helo=<mailer2.ixsmail.com> Aug 7 05:22:28 harrier postfix/postscreen[8311]: HANGUP after 0.09 from [207.45.161.31]:52622 in tests after SMTP handshake Aug 7 05:22:28 harrier postfix/postscreen[8311]: DISCONNECT [207.45.161.31]:52622 I'm quite sure this one was spam, because that recipient is in my spamtrap list. And the performance is quite spammy, because I have given them 550 5.5.1 rejections since May! # cat >> /etc/postfix/postscreen_access.cidr # 2011-08-09 eWayDirect whitelisted, but hitting spamtraps # was having PREGREET protocol errors before today 207.45.161.0/24 reject ^D > I suppose we could overload the postscreen_dnsbl_threshold > parameter for this, something like > postscreen_dnsbl_threshold = reject-boundary;pass-boundary > where reject-boundary is required (default 1), pass-boundary > is optional/no default/unset. > example = 1;-1 So with a negative score from dnsblog, it would bypass after-220 tests? What if, like eWayDirect above, it is a pregreeter? If a certain test is already failed, I see no benefit in allowing a client to proceed (whitelist it if you want it.) Otherwise I think it's a good idea. I'd set my pass-boundary at -2. I'm only giving those dnswl.org .0's a -1 score. -- Offlist mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header
