On 02/06/16 19:21, Michael Fox wrote: >> On 02/06/16 17:45, Michael Fox wrote: >>> If a DNSBL in postscreen_dnsbl_sites has a weight >= >>> postscreen_dnsbl_threshold, then is there any advantage to also >>> listing it in smtpd_*_restrictions? For example, is there some failure >>> mode that having the DNSBL listed in both places would protect >>> against? Michael >> I frequently have remote hosts which pass the pregreet and DNSBL tests, >> and then repeatedly access the server with a "PASS OLD" result from >> postscreen. Usually they try to send unauthorised relay messages. >> >> The entry in smtpd_*_restrictions would pick these up as their DNSBL >> status changes. >> >> Allen C > Thanks Allen. > > Ahhh. > So, taking into account what Wietse just said about DNSBL lookups in > postscreen and smtpd sharing the same caching resolver, then, if I > understand you correctly, adding the same DNSBL to smtpd_*_restrictions > would catch the case where postscreen_dnsbl_ttl has expired for a given > client, but postscreen_cache_retention_time (default=7d) has not. Is that > correct? > > Michael > > > As I understand it, yes.
Once a new remote host has been accepted by postscreen, it becomes difficult to "un-whitelist" it. It has to be dealt with elsewhere... Allen C
