On Saturday 19 November 2011 23:30:21 Alex wrote:
> I have two postfix-v2.8.5 hosts for one domain and have configured
> postscreen on both of them using 'ignore' for all options while I
> experiment. I have a few questions that I hoped someone could help
> me to answer:
>
> - Do I still need the reject_rbl_client commands in
> smtpd_recipient_restrictions?
They don't hurt at all, and might help. If, for example, while under
high load, the query from dnsblog(8) times out -- by the time it gets
to smtpd_recipient_restrictions, the result might be available.
If they were okay before postscreen, keep them.
> - Is PREGREET always a sign of a zombie connection or misconfigured
> client, or is it possible for properly configured clients to also
> speak before their turn?
It's safe. The only drawback is the pain of delaying mail.
> - Is something like this pregreet enough to reject the client and
> blacklist them?
> Nov 19 23:45:06 mail02 postfix/postscreen[12487]: PREGREET 16
> after 0.36 from [113.177.86.240]:1974: HELO localhost\r\n
Pregreet traffic and "HELO localhost" are each very strong spam signs.
In fact I believe that CBL (which is part of Zen) lists "HELO
localhost" clients.
> - I don't fully understand the "MX Policy test" section of the
> HOWTO. How do I configure postscreen to listen on both the primary
> and backup MX addresses? Is this referring to create a virtual
> interface for the backup MX on the actual primary server? So there
> would be two IPs for the backup MX host?
You bind another IP address on the interface of the default route.
This is not a "virtual interface", this is merely another IP address
bound on the same host. "dig slackbuilds.org. mx", this is mine. .211
is the primary, .214 secondary. .214 is excepted from
postscreen_whitelist_interfaces. See
postconf.5.html#postscreen_whitelist_interfaces for syntax.
Offer void where taxed or prohibited, or behind some weird NAT router,
or if not using Postfix 2.9.
> - Is this the sign of a problem or does this error occur normally?
> Nov 19 23:46:08 mail02 postfix/master[5814]: warning: process
> /usr/libexec/postfix/postscreen pid 12487 exit status 1
That is a problem, and you need to see what postscreen itself said
upon exit. This is why separate logfiles by priority is often
confusing. You need to see mail.* logging for this event.
> - I believe something I did during testing was rejecting valid
> mail. I enabled pipelining and bare_newline, but both were only
> ever set to 'ignore':
>
> postscreen_pipelining_enable = yes
> postscreen_pipelining_action = ignore
> postscreen_bare_newline_enable = yes
> postscreen_bare_newline_action = ignore
>
> Could one of these options have caused this error below? If not,
> any idea how this could have happened? Will clients resend, or
> have I lost mail here and the sender notified?
>
> Nov 20 00:02:55 mail02 postfix/postscreen[20334]: NOQUEUE: reject:
> RCPT from [93.74.115.187]:64752: 450 4.3.2 Service currently
> unavailable; from=<n1e...@yahoo.com>,
> to=<mkchantal.k...@example.com>, proto=SMTP,
> helo=<server.auff.dns.yahoo.com>
This is normal and expected. Reread POSTSCREEN_README.html#after_220
namely, the "Important note" and following text.
--
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header
