> Michael Fox: > > Clarification: I seem to recall someone asking whether they should > leave > > RBLs in the smtpd_*_restrictions now that they've added them to > postscreen. > > And I seem to recall that the answer was something like "why not, it > doesn't > > hurt". But it seems to me that if would hurt because: a) it adds a > > redundant lookup (unless the postscreen cache is shared with postfix) > and, > > b) unless they all have the same weight in postscreen, then postfix > would > > reject on any one RBL, which would make the weighting in postscreen > moot. > > Hence, my question. > > smtpd and postscreen use the same caching resolver, so the "extra" > queries don't travel far over the network. So the anser is "it > should not hurt". > > That said, postscreen versions before 3.1 ignore the DNS reply TTL > (or its equivalent for NXDOMAIN replies) and use postscreen_dnsbl_ttl=1h > by default. That was fine when I wrote postscreen 5 years ago, but > it may be longer than the TTLs that some DNS reputations use these > days.
Thanks Wietse. So, as I understand it: as long as the weight assigned to a DNSBL in postscreen is >= postscreen_dnsbl_threshold, then there is no harm in also adding the same DNSBL to smtpd_*_restrictions. And, conversely, DNSBLs with weights < postscreen_dnsbl_threshold should not be listed in smtpd_*_restrictions because they could block an email on their own, even though they are not trusted to do so by postscreen. If a DNSBL in postscreen_dnsbl_sites has a weight >= postscreen_dnsbl_threshold, then is there any advantage to also listing it in smtpd_*_restrictions? For example, is there some failure mode that having the DNSBL listed in both places would protect against? Michael
