On Fri, Jul 07, 2017 at 05:18:49PM -0500, techlist06 wrote: > - postscreen with postgrey - can they cause a double reject?
Reject, no; deferral, of course yes. > I searched for answers regarding using both postscreen and > greylisting. I saw some differing opinions. But I did not > see this point covered. My opinion is that postscreen is a much better greylisting-like implementation. I do not recommend other greylisting now (and this opinion dates back many years.) > Assuming a clients first connection to me to deliver and > Assuming that postscreen is configured for deep protocol tests, > and the connection passes all tests. > > I understand postscreen will temporary whitelist the IP but the > client must reconnect in order to deliver. Yes, but see: http://www.postfix.org/postconf.5.html#postscreen_dnsbl_whitelist_threshold Most legitimate senders are listed in the DNSWL.org whitelist. Clients in that list (without offsetting DNSBL listings, which have been very rare) bypass postscreen's delaying behavior. > On that second connection, postscreen hands off to postfix > due to the temporary whitelist. Postscreen IS Postfix; it hands off to smtpd(8). > If I have greylisting configured, as I have done it in the > past in main.cf: > > smtpd_recipient_restrictions > ... > check_policy_service unix:postgrey/socket > permit > > Won't this second connection get temp rejected by my normal > greylisting a second time? The regular greylisting won't know > about the postscreen's recent pass. So won't the client would > have to connect for a 3rd time to deliver? > > That would seem to me to be an argument against using both, or Correct. > at least using both with postscreen's deep protocol tests > enabled. > > I'd be grateful to be straightened out if I have it wrong. Just stick with postscreen's deep protocol tests. Greylisting won't block anything that got through postscreen's delay. All pain, no gain, with greylisting behind postscreen. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: