I finally got around to my upgrade to 2.11-20130405 and was watching
logs. A gmail message fell afoul of the after-220 tests; each time it
came from a different host. Each one got a "PASS NEW" and of course
the "450 4.3.2 Service currently unavailable" rejection.
These gmail outbounds are all listed in list.dnswl.org as 127.0.5.1,
and I give that a negative score in my postscreen_dnsbl_sites. So
with no offsetting DNSBL scores, these hosts all got a subzero score.
It would be nice if we could put those whitelist scores to work, and
not have to maintain so big of a postscreen_access_list whitelist.
This has been a common concern among the new postscreen users I have
talked to. Gmail in particular is troublesome with after-220 because
they never try the lower priority MX on the same host. The first
attempt was at 03:00 UTC tonight, the last one (of 8) was 05:45, just
a few minutes ago, and I still apparently haven't got all the gmail
outbounds whitelisted. :(
So here's my idea (I think the parameter names are lousy, but it's
the best I could come up with this late at night):
"""
postscreen_after_220_bypass_enable (default: no)
Allow a remote SMTP client with a score less than or equal to
postscreen_after_220_bypass_threshold based on its combined
DNSBL score as defined with the postscreen_dnsbl_sites
parameter, to bypass the after-220 tests, if enabled. Those
tests include postscreen_bare_newline_enable,
postscreen_non_smtp_command_enable, and
postscreen_pipelining_enable.
If enabled, this means that whitelisted hosts would get to
talk directly to a real Postfix SMTP server, if all other
pre-220 tests are passed. For examples, see the
POSTSCREEN_README.
This feature is available in Postfix 2.11.
postscreen_after_220_bypass_threshold (default: -1)
The inclusive upper bound for allowing a remote SMTP client,
based on its combined DNSBL score as defined with the
postscreen_dnsbl_sites parameter, to bypass the after-220
tests, if those tests are enabled and the
postscreen_after_220_bypass_enable parameter is "yes".
This feature is available in Postfix 2.11.
"""
For reference, my postscreen settings are online here:
http://rob0.nodns4.us/postscreen.html
(I'm planning to maintain that page as an example configuration.)
Some questions remain: will the whitelist result give these hosts an
entry in the after-220 databases? Or would the pre-220 DNSBL test be
done every time?
--
http://rob0.nodns4.us/ -- system administration and consulting
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
