On 2 Dec 2015, at 12:54, Bryan K. Walton wrote:
On Wed, Dec 02, 2015 at 12:49:05PM -0500, Bill Cole wrote:
Alternative (and I think better) random guess: you've enabled one or
more
"after 220 server greeting" test. See the postscreen man page for the
consequences of such configuration and note that there's no law
requiring
retry delivery of a deferred message to be done via the same IP as
any prior
delivery attempt, and a big complex mail system built for high
availability
is likely to NOT do so.
We do make use of those. However, we are also using
postscreen_dnsbl_whitelist_threshold. The hosts in question are
scoring in the negative numbers and SHOULD be exempt from the after
220 greeting tests. As mentioned in my first email, the host in
question is scoring -8. I'm whitelisting any host that scores below
-2.
My mistake: I didn't look carefully enough at what
postscreen_dnsbl_whitelist_threshold is supposed to do. Sorry for the
rapid-fire noise.
Theory: Your 8 DNSBL lookups are not all completing fast enough for
postscreen to make a pass/fail/whitelist decision before the sender
proceeds with its SMTP chat5, which postscreen handles (rather than
handing off to smtpd) because it has not yet whitelisted the IP. 8
seconds after the connection it has all those answers and logs the PASS
NEW.
IF that's what is happening, you may be able to address it by bumping up
postscreen_greet_wait and/or lowering postscreen_dnsbl_timeout. But I've
been wrong before...
