Michael Fox:
> > On 02/06/16 17:45, Michael Fox wrote:
> > > If a DNSBL in postscreen_dnsbl_sites has a weight >=
> > > postscreen_dnsbl_threshold, then is there any advantage to also
> > > listing it in smtpd_*_restrictions? For example, is there some failure
> > > mode that having the DNSBL listed in both places would protect
> > > against? Michael
> >
> > I frequently have remote hosts which pass the pregreet and DNSBL tests,
> > and then repeatedly access the server with a "PASS OLD" result from
> > postscreen. Usually they try to send unauthorised relay messages.
> >
> > The entry in smtpd_*_restrictions would pick these up as their DNSBL
> > status changes.
> >
> > Allen C
>
> Thanks Allen.
>
> Ahhh.
> So, taking into account what Wietse just said about DNSBL lookups in
> postscreen and smtpd sharing the same caching resolver, then, if I
> understand you correctly, adding the same DNSBL to smtpd_*_restrictions
> would catch the case where postscreen_dnsbl_ttl has expired for a given
> client, but postscreen_cache_retention_time (default=7d) has not. Is that
> correct?
postscreen will query the DNS when the client connects after
postscreen_dnsbl_ttl has expired. With Postfix 3.1 and later,
that time is (also) determined by a TTL in the DNS response.
Wietse
