> Am 13.09.2016 um 19:00 schrieb Wietse Venema <wie...@porcupine.org>: > > Christian Ro??ner: >>> Am 13.09.2016 um 18:09 schrieb Wietse Venema <wie...@porcupine.org>: >>> >>> Christian Ro??ner: >>>> Is there some chance that postscreen could be extended to also have >>>> "defer"? >>> >>> That is a good question, but you might want to ask that in a thread >>> that isn't about socketmaps. >> >> You are totally right. I created a new thread for this. >> >> The idea is to give postscreen a "defer" option. At connect time, >> dynamic services can work with the IP address of a connecting >> client. In some cases, this can result in whitelisting, blacklisting >> or no decision. But a fourth decision: "defer" might be interesting >> in cases, where the risk of a false-positive decision is too big. >> >> Having this in postscreen reduces load on external DNS queries, >> if you also use dnsblog. > > Unlike DNS lookups, the access map lookup is a blocking operation, > and if your tcp map takes 80ms to complete (a typical trans-atlantic > query), then you can handle only 12 connections per second, and > make postsceen the largest performance bottleneck on the system.
Good point. I will think about moving the tcp-map to "smtpd". Thank you very much for clarifying the performance impact Christian -- Erlenwiese 14, 36304 Alsfeld T: +49 6631 78823400, F: +49 6631 78823409, M: +49 171 9905345 USt-IdNr.: DE225643613, https://www.roessner-network-solutions.com
smime.p7s
Description: S/MIME cryptographic signature
