Re: Despite greylisting result, recipient restrictions still run

Fri, 13 Nov 2015 08:44:23 -0800 

On Fri, Nov 13, 2015 at 09:12:54PM +1300, martin f krafft wrote:

> I am doing greylisting in smtpd_client_restrictions and later
> a policy server check in smtpd_recipient_restrictions (postconf
> included below). smtpd_delay_reject is on (the default).

Greylisting typically generates a "defer_if_permit" verdict.

    http://www.postfix.org/access.5.html

       DEFER_IF_PERMIT optional text...
              Defer the request if some later restriction would result in a an
              explicit   or    implicit    PERMIT    action.     Reply    with
              "$access_map_defer_code   4.7.1    optional  text..."  when  the
              optional text is specified, otherwise reply with a generic error
              response message.

This is good, because it is silly to defer mail that will ultimately
be rejected.  With "defer_if_permit", processing goes on in the
"hope" that the mail may yet still be rejected by later restrictions.

> The weird behaviour I am seeing is that despite a greylisting match
> (4xx) in sender restrictions, the recipient restrictions are still
> all being evaluated. In the logs, this looks as follows:
> 
>   postgrey[27226]: action=greylist, reason=new, client_name=unknown,
>     client_address=120.28.68.66, sender=reconnoitering...@bk.ru,
>     recipient=new-...@pobox.madduck.net

Replies with "defer_if_permit".

>   postfwd2/policy[1002]: [RULES] rule=3, id=REJECT_HELO_NODNS,
>     client=unknown[120.28.68.66], sender=<reconnoitering...@bk.ru>,
>     recipient=<new-...@pobox.madduck.net>, helo=<[120.28.68.66]>,
>     proto=ESMTP, state=RCPT, delay=0.00s,
>     hits=SET_HELO;SET_NODNS;REJECT_HELO_NODNS, action=REJECT Blocked
>     - Suspicious HELO [[120.28.68.66]] and missing reverse DNS
>     [120.28.68.66]
>   postfix/smtpd[14225]: NOQUEUE: reject: RCPT from
>     unknown[120.28.68.66]: 554 5.7.1 <new-...@pobox.madduck.net>:
>     Recipient address rejected: Blocked - Suspicious HELO
>     [[120.28.68.66]] and missing reverse DNS [120.28.68.66];
>     from=<reconnoitering...@bk.ru> to=<new-...@pobox.madduck.net>
>     proto=ESMTP helo=<[120.28.68.66]>

Excellent, the mail got rejected, rather than deferred.

> In my case, the postgrey check in the sender restrictions returns
> DEFER, and the README leads me to assume that the recipient list
> would be skipped. But it is not.

Does it in fact return "DEFER"?   My money is on "DEFER_IF_PERMIT".

-- 
        Viktor.

Reply via email to