On Fri, Jul 07, 2017 at 05:18:49PM -0500, techlist06 wrote:
> - postscreen with postgrey - can they cause a double reject?

Reject, no; deferral, of course yes.

> I searched for answers regarding using both postscreen and 
> greylisting.  I saw some differing opinions.  But I did not
> see this point covered.

My opinion is that postscreen is a much better greylisting-like 
implementation.  I do not recommend other greylisting now (and this 
opinion dates back many years.)

> Assuming a clients first connection to me to deliver and
> Assuming that postscreen is configured for deep protocol tests,
> and the connection passes all tests.
> 
> I understand postscreen will temporary whitelist the IP but the 
> client must reconnect in order to deliver.

Yes, but see:

http://www.postfix.org/postconf.5.html#postscreen_dnsbl_whitelist_threshold

Most legitimate senders are listed in the DNSWL.org whitelist.
Clients in that list (without offsetting DNSBL listings, which have 
been very rare) bypass postscreen's delaying behavior.

> On that second connection, postscreen hands off to postfix
> due to the temporary whitelist.

Postscreen IS Postfix; it hands off to smtpd(8).

> If I have greylisting configured, as I have done it in the
> past in main.cf:
> 
>       smtpd_recipient_restrictions 
>         ...
>         check_policy_service unix:postgrey/socket
>         permit
> 
> Won't this second connection get temp rejected by my normal 
> greylisting a second time?  The regular greylisting won't know 
> about the postscreen's recent pass.  So won't the client would
> have to connect for a 3rd time to deliver?
> 
> That would seem to me to be an argument against using both, or

Correct.

> at least using both with postscreen's deep protocol tests
> enabled.
> 
> I'd be grateful to be straightened out if I have it wrong.  

Just stick with postscreen's deep protocol tests.  Greylisting won't 
block anything that got through postscreen's delay.  All pain, no 
gain, with greylisting behind postscreen.
-- 
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

Reply via email to