> Am 14.09.2016 um 07:50 schrieb Christian Rößner > <c...@roessner-network-solutions.com>: > >> Am 13.09.2016 um 19:00 schrieb Wietse Venema <wie...@porcupine.org>: >> >> Christian Ro??ner: >>>> Am 13.09.2016 um 18:09 schrieb Wietse Venema <wie...@porcupine.org>: >>>> >>>> Christian Ro??ner: >>>>> Is there some chance that postscreen could be extended to also have >>>>> "defer"? >>>> >>>> That is a good question, but you might want to ask that in a thread >>>> that isn't about socketmaps. >>> >>> You are totally right. I created a new thread for this. >>> >>> The idea is to give postscreen a "defer" option. At connect time, >>> dynamic services can work with the IP address of a connecting >>> client. In some cases, this can result in whitelisting, blacklisting >>> or no decision. But a fourth decision: "defer" might be interesting >>> in cases, where the risk of a false-positive decision is too big. >>> >>> Having this in postscreen reduces load on external DNS queries, >>> if you also use dnsblog. >> >> Unlike DNS lookups, the access map lookup is a blocking operation, >> and if your tcp map takes 80ms to complete (a typical trans-atlantic >> query), then you can handle only 12 connections per second, and >> make postsceen the largest performance bottleneck on the system. > > Good point. I will think about moving the tcp-map to "smtpd". > > Thank you very much for clarifying the performance impact
Ah... Just read about the postscreen-policy idea. :-) -- Erlenwiese 14, 36304 Alsfeld T: +49 6631 78823400, F: +49 6631 78823409, M: +49 171 9905345 USt-IdNr.: DE225643613, https://www.roessner-network-solutions.com
smime.p7s
Description: S/MIME cryptographic signature
