On 5/22/2013 8:41 AM, Deeztek Support wrote: > I'm trying out postscreen and I have a couple of questions. First > off, here's my postscreen setup: > > postscreen_access_list = permit_mynetworks > postscreen_blacklist_action = enforce > postscreen_dnsbl_action = enforce > postscreen_greet_action = enforce > postscreen_dnsbl_sites = zen.spamhaus.org*3 > b.barracudacentral.org*2 > bl.spameatingmonkey.net*2 > dnsbl.ahbl.org*2 > bl.spamcop.net > dnsbl.sorbs.net > psbl.surriel.com > bl.mailspike.net > swl.spamhaus.org*-4 > list.dnswl.org=127.[0..255].[0..255].0*-2 > list.dnswl.org=127.[0..255].[0..255].1*-3 > list.dnswl.org=127.[0..255].[0..255].[2..255]*-4 > postscreen_dnsbl_threshold = 3 > postscreen_pipelining_enable = yes > postscreen_non_smtp_command_enable = yes > postscreen_bare_newline_action = enforce > postscreen_bare_newline_enable = yes > > so, the RBLs are getting utilized by postscreen before it even hits > the smtp service. So, am I right to assume that the > reject_rbl_client lines in my smtpd_recipient_restrictions are no > longer needed?
No, not needed. But some folks like to leave them in anyway because 1) they're "free" if the DNS response is currently cached and 2) postscreen internally caches "PASS" status, possibly after a bad client is newly listed in an rbl. > > Additionally, in my smtpd_recipient_restrictions I have a > check_client_access line that points to a list of rbl_override email > addresses so that I can receive e-mail from someone even if they are > sending e-mail from an IP that's listed on an RBL. I can't seem to > find any reference on how to accomplish this with postscreen. Is > that even possible or are we relying on the RBL scoring system for > postscreen? (I'm wondering why a check_client_access map points to a list of email addresses, but maybe you misspoke) There is no conditional whitelisting available in postscreen. Only use highly trusted (by *YOU*) RBLs in postscreen, or use scoring so that multiple listing are required for rejection. Secondly, remember postscreen is intended as a quick-and-simple zombie killer, its only purpose is to reduce the workload on the more complex filters further downstream. -- Noel Jones
