/dev/rob0:
>
> I guess this says that postscreen_dnsbl_action fires at the end of
> the greet pause when postscreen_dnsbl_threshold is met, but
> postscreen_dnsbl_whitelist_threshold is not calculated. Here's the
[begin background material]
I mis-understood how postscreen works (I do not constantly stare
at Postfix source code, having other things to work on that pay the
bills).
I thought that the whitelist will be applied only when DNS lookups
complete *before* the pregreet timer expires. That is,
- When some DNS lookup is taking too long, no DNS score is available.
This is consistent with how postscreen whitelisting works for non-DNS
tests. It applies the whitelist threshold only when DNS lookup
completes before the pregreet timer expires.
However, the bullet above is incorrect. When soe DNS lookup takes
too long, a DNS score is available, and the postscreen DNS blocking
code uses that partial score.
This is safe when there are only positive scores (if the partial
client is already over the threshold then the client should be
blocked even if some DNS results are not yet in).
This is less safe when there may also be exculpatory evidence (in
the form of DNSWL lookups). But, sites are usually not listed in
both white and block lists.
[end background material]
I can change postscreen to also use partial scores for whitelisting
of non-DNS tests, and thereby make whitelisting of non-DNS tests
consistent with DNS-based blocking (that's one less WTF factor).
This requires minor code duplication.
Wietse
