* Chris Horry <zer...@wibble.co.uk>: > Since enabling tlsproxy+postscreen I'm seeing greylisting on TLS > connections: ...
> I don't seen anything about this in the postscreen documentation "Tests after the 220 SMTP server greeting" says Important note: deep protocol tests are disabled by default. They are more intrusive than the pregreet and DNSBL tests, and they have limitations as discussed next. When a good client passes the deep protocol tests, postscreen(8) adds the client to the temporary whitelist but it cannot hand off the "live" connection to a Postfix SMTP server process in the middle of the session. Instead, postscreen(8) defers mail delivery attempts with a 4XX status, logs the helo/sender/recipient information, and waits for the client to disconnect. The next time the client connects it will be allowed to talk to a Postfix SMTP server process to deliver its mail. To minimize the impact of this limitation, postscreen(8) gives deep protocol tests a relatively long expiration time. Those tests are: *Command pipelining test *Non-SMTP command test *Bare newline test You enabled: > postscreen_bare_newline_enable = yes > postscreen_dnsbl_action = enforce > postscreen_dnsbl_sites = bl.spamcop.net, zen.spamhaus.org, cbl.abuseat.org > postscreen_greet_action = enforce > postscreen_non_smtp_command_enable = yes two of them. postscreen_bare_newline_enable and postscreen_non_smtp_command_enable -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
