On Fri, Jul 15, 2016 at 11:00:56PM +0300, Lefteris Tsintjelis wrote: > On 15/07/2016 16:38, wie...@porcupine.org wrote: > >That is fundamentally not how postscreen works. postscreen > >whitelists the client, not the combination (client + SMTP > >commands). Its purpose is to block bad clients with zero overhead > >for whitelisted clients, not doing things that require inspecting > >commands from all SMTP sessions. > > I am not sure I follow you with the SMTP commands. Maybe I was not > clear but I was referring to SPF and MX DNS records only which are > purely DNS lookups based on client's IP and do not require any SMTP > inspection, just like DNSBL/DNSWL.
Both points are incorrect. An MX lookup based on client IP is not possible. There are generally no MX records in "arpa." zones. MX lookup would be based on the domain in the MAIL FROM: address. That does indeed require SMTP inspection. As implemented, postscreen does not know the MAIL FROM: address until after it has already decided to reject or defer the client. This requires both the lookup of the domain's MX, and then an A/AAAA lookup of the MX hostname[s]. These lookups are necessarily in sequence rather than in parallel. Likewise, SPF (the "S" stands for "Sender") needs a lookup of the domain in MAIL FROM:. From there it could require many more DNS lookups, depending on whether the SPF/TXT record exists and on the content thereof. No, we are not going to see these features in postscreen. They do not make sense. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
