On 8/9/2011 4:49 PM, /dev/rob0 wrote: > On Tue, Aug 09, 2011 at 03:54:55PM -0500, Noel Jones wrote: >> I suppose we could overload the postscreen_dnsbl_threshold >> parameter for this, something like >> postscreen_dnsbl_threshold = reject-boundary;pass-boundary >> where reject-boundary is required (default 1), pass-boundary >> is optional/no default/unset. >> example = 1;-1 > > So with a negative score from dnsblog, it would bypass after-220 > tests? What if, like eWayDirect above, it is a pregreeter? If a > certain test is already failed, I see no benefit in allowing a client > to proceed (whitelist it if you want it.)
I would think only skip after-220 tests, no other tests would be affected. > > Otherwise I think it's a good idea. I'd set my pass-boundary at -2. > I'm only giving those dnswl.org .0's a -1 score. I think -1 is the sane choice. This is not a free pass, just "skip the invasive after-220 tests". The point is to test if it's likely a real MTA, since any non-borked MTA will pass the after-220 tests. We're not making a declaration that it's not spam. But it's configurable so you can make your own decision. An alternative user interface would be a new parameter that lists dnswl's only; any hit would skip after-220 tests. This would prevent hosts that are on both black and white lists from inadvertently being accepted. But I can't think of a good name for such a parameter. This would actually be a cleaner interface since it doesn't mix white and black actions, but I can't think of a non-confusing way to document it. -- Noel Jones
