> postscreen will query the DNS when the client connects after > postscreen_dnsbl_ttl has expired. With Postfix 3.1 and later, > that time is (also) determined by a TTL in the DNS response.
Thanks for the clarification Wietse. 2 questions: 1) Given that DNSBLs in postscreen_dnsbl_sites and smtpd_*_restrictions use the same caching resolver and the same timeouts, they should produce the same result. Correct? If so, then is there any reason at all for putting a DNSBL in smtpd_*_restrictions if postscreen is already set up with a set of weighted DNSBLs? Or, put another way, is there any failure mode that listing the DNSBL in both places might prevent? Please explain. 2) Please confirm my understanding of the postscreen_cache_retention_time: 2a) A client that previously passed the pre-greet test will face the pre-greet test again if postscreen_greet_ttl has expired, even if postscreen_cache_retention_time has not expired. Correct? 2b) A client that previously passed the DNSBL test will be face the DNSBL test again if postscreen_dnsbl_ttl has expired, even if postscreen_cache_retention_time has not expired. Correct? 2c) A client that has previously passed the pre-greet and DNSBL tests, and connects again before postscreen_cache_retention_time has expired, will be logged as "PASS OLD" instead of "PASS NEW", regardless of whether or not the pre-greet and/or DNSBL tests had to be rerun this time. Correct? 2d) The result of "tests after the 220 SMTP server greeting" are cached for postscreen_cache_retention_time. Correct? Thanks, Michael
