/dev/rob0:
> In the time since I've been running this, I saw the first thing that
> might be seen as a problem: dnsblog timing out on one of the DNSBL
> lookups:
>
> May 16 21:51:44 harrier postfix/postscreen[29502]: CONNECT from
> [208.66.205.36]:53814 to [207.223.116.211]:25
> May 16 21:51:44 harrier postfix/dnsblog[29507]: addr 208.66.205.36 listed by
> domain list.dnswl.org as 127.0.15.0
>
> This gives it a -2 so far, but when the greet pause is finished,
> postscreen proceeds anyway:
All postscreen versions work that way. When the DNSBL score is not
final before the pregreet test completes, the DNSBL test remains
undecided, and the test will be repeated the next time the client
connects.
Increasing the greet-wait to 10+ seconds could result in legitimate
clients hanging up, so I would not recommend that.
You can try to change the DNS resolver timeout/retry behavior:
/etc/resolv.conf:
# Typical default settings shown here. See resolver(5).
options timeout:5 attempts:2 ...
However, this changes all DNS lookups of every program on the system,
and that may be undesirable.
You can instead specify these settings for Postfix only by setting
the RES_OPTIONS environment variable.
/etc/postfix/main.cf:
import_environment = ... RES_OPTIONS=timeout:3 ...
Unfortunately main.cf does not support RES_OPTIONS values that
contain spaces (there is no support for quotes) and multiple
RES_OPTIONS=whatever settings don't add up, so you can override
only one of "timeout" or "attempts" but not both.
>From here on things only gets worse. The following information is
only for completeness. I would not recommend anyone to take this
path. To override RES_OPTIONS with spaces and all you would have
to set it in $daemon_directory/postfix-script.
/usr/libexec/postfix/postfix-script:
export RES_OPTIONS; RES_OPTIONS="xxx yyy zzz"
etc/postfix/main.cf:
import_environment = ... RES_OPTIONS ...
This will import an environment setting literally. But it will break
the next time Postfix is updated.
Wietse
