Problem with postscreen when using backup MX strategy

Tue, 13 Nov 2012 03:53:33 -0800 

Hi list,
I recently configured postscreen on my low volume mailserver and was pleased to find that it should be possible to avoid de-facto greylisting when doing the deep protocol tests by using a backup MX IP on the same host. 


After enabling this setup I found that the first client to connect did 
not get treated as I had expected. The client connected to the primary 
MX and got deferred, immediately went to the secondary MX and also got 
deferred. The log snippet below suggests that whitelisting from the 
initial connection completed after the connection to the secondary MX 
and was therefore too late to be effective.



Nov 13 10:01:35 mica postfix/postscreen[15110]: CONNECT from 
[85.115.54.190]:48691 to [95.172.3.114]:25
Nov 13 10:01:41 mica postfix/tlsproxy[15121]: CONNECT from 
[85.115.54.190]:48691
Nov 13 10:01:41 mica postfix/tlsproxy[15121]: Anonymous TLS connection 
established from [85.115.54.190]:48691: TLSv1 with cipher 
DHE-RSA-AES256-SHA (256/256 bits)
Nov 13 10:01:41 mica postfix/postscreen[15110]: NOQUEUE: reject: RCPT 
from [85.115.54.190]:48691: 450 4.3.2 Service currently unavailable; 
from=<sender...@example.com>, to=<recipient...@example.co.uk>, 
proto=ESMTP, helo=<cluster-j.mailcontrol.com>
Nov 13 10:01:41 mica postfix/postscreen[15110]: CONNECT from 
[85.115.54.190]:44580 to [95.172.3.115]:25
Nov 13 10:01:41 mica postfix/postscreen[15110]: WHITELIST VETO 
[85.115.54.190]:44580
Nov 13 10:01:47 mica postfix/tlsproxy[15121]: CONNECT from 
[85.115.54.190]:44580
Nov 13 10:01:47 mica postfix/tlsproxy[15121]: Anonymous TLS connection 
established from [85.115.54.190]:44580: TLSv1 with cipher 
DHE-RSA-AES256-SHA (256/256 bits)
Nov 13 10:01:47 mica postfix/postscreen[15110]: NOQUEUE: reject: RCPT 
from [85.115.54.190]:44580: 450 4.3.2 Service currently unavailable; 
from=<sender...@example.com>, to=<recipient...@example.co.uk>, 
proto=ESMTP, helo=<cluster-j.mailcontrol.com>
Nov 13 10:01:47 mica postfix/postscreen[15110]: DISCONNECT 
[85.115.54.190]:44580
Nov 13 10:01:47 mica postfix/tlsproxy[15121]: DISCONNECT 
[85.115.54.190]:44580
Nov 13 10:01:47 mica postfix/postscreen[15110]: PASS NEW 
[85.115.54.190]:48691
Nov 13 10:01:47 mica postfix/postscreen[15110]: DISCONNECT 
[85.115.54.190]:48691
Nov 13 10:01:47 mica postfix/tlsproxy[15121]: DISCONNECT 
[85.115.54.190]:48691



Have I correctly understood the chain of events here and if so what is 
the likely cause? I am running this on Ubuntu 12.04 using the latest 
Postfix version in the standard repos (2.9.3-2). The non-default 
postscreen settings I have used are:


# postconf -n | grep 'postscreen_.*'

postscreen_access_list = permit_mynetworks 
cidr:/etc/postfix/postscreen_access.cidr

postscreen_bare_newline_enable = yes
postscreen_dnsbl_action = enforce

postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*2 
dnsbl.njabl.org*2 bl.spameatingmonkey.net*2 dnsbl.ahbl.org 
bl.spamcop.net dnsbl.sorbs.net spamtrap.trblspam.com swl.spamhaus.org*-5 
list.dnswl.org=127.[0..255].[0..255].0*-2 
list.dnswl.org=127.[0..255].[0..255].1*-4 
list.dnswl.org=127.[0..255].[0..255].[2..255]*-6

postscreen_dnsbl_threshold = 3
postscreen_greet_action = enforce
postscreen_non_smtp_command_enable = yes
postscreen_pipelining_enable = yes
postscreen_whitelist_interfaces = !95.172.3.115 static:all

Regards,

Mike
























					Reply via email to