On Fri, Apr 12, 2013 at 06:34:24AM -0400, Wietse Venema wrote:
> /dev/rob0:
> > I finally got around to my upgrade to 2.11-20130405 and was watching
> > logs. A gmail message fell afoul of the after-220 tests; each time it
> > came from a different host. Each one got a "PASS NEW" and of course
> > the "450 4.3.2 Service currently unavailable" rejection.
> >
> > These gmail outbounds are all listed in list.dnswl.org as 127.0.5.1,
> > and I give that a negative score in my postscreen_dnsbl_sites. So
> > with no offsetting DNSBL scores, these hosts all got a subzero score.
> > It would be nice if we could put those whitelist scores to work, and
> > not have to maintain so big of a postscreen_access_list whitelist.
>
> Disabling tests based on DNSWL score would make sense (currently
> they "disable" DNSBL tests only). Perhaps this needs a "disable"
> flag in the postscreen cache.
On second consideration, this can be done as follows:
- One parameter with the (negative) postscreen_dnsbl_sites score
that is needed to allow the client to skip tests.
- One parameter with the names of tests that are skipped (using
!name to exclude a name, and static:all to match everything).
This may include "greet" to cancel a "greet wait" in progress.
The procedure is: postscreen does a postscreen_dnsbl_sites query
for the client IP address. If the score satifies the threshold in
the first parameter, then all tests with a name that matches the
second parameter will be skipped until the next postscreen_dnsbl_sites
query for that client IP address (i.e. after postscreen_dnsbl_ttl).
Wietse
