In message <570a341b.9000...@pajamian.dhs.org>
Peter writes:
>
> On 10/04/16 15:00, Curtis Villamizar wrote:
> > This is a workaround that shouldn't be needed.
> >
> > Any idea what the cause of this is? So far no legit mail except gmail
> > gets caught here.
>
> gmail uses hundreds, or thousands of MTAs and has the unique property
> that when they retry after a deferral it is almost always from a
> different server (IP). So postfix clears one IP and they retry from
> another which postfix did not clear yet. Rinse and repeat ad-nauseum.
>
> The only workaround is to either receive so much mail from google that
> you eventually get most of their servers on your temporary whitelist, or
> to whitelist them in some other way. newer versions of postfix allow
> you to whitelist based on DNSWLS and if you use dnswl.org it will
> include the google servers. In older versions of postfix you will need
> to whitelist them manually like you have already done, but they change
> from time to time so you need to keep the list up to date.
>
> Peter
This seems like it could be a viable workaround for the after 220
problem.
postscreen_dnsbl_sites =
list.dnswl.org*-5
# followed by some blacklist sites
It could occasionally delay mail from all legitimate senders not in
dnswl.org (almost everyone but a few big guys) if they try both the
primary and secondary MX and those two MX have independent temporary
whitelists. Tying the temporary whitelists together (so the secondary
immediately passes postscreen tests) using a routable address (since
they are at different sites) seems horribly insecure. If there was a
way to wrap the connection in TLS, then OK.
Occasionally delaying legitimate mail is to be avoided and I don't see
a workaround for that.
OTOH, as soon as I turned this off some obvious spam got through,
probably bot spam not yet listed in a dnsbl and clever enough to not
get snagged by spamassasin (not all that hard apparently).
The next question is whether the after 220 stops enough spam that the
other tests wouldn't get to make it worth the bother. Apparently,
based on Wietse's terse comment, he thinks not.
So I'll go with Wietse's advice and disable after 220 tests and see if
I can find an alternative to stop the remaining dribble of spam.
Curtis
