On 26/12/2021 17:51, Wietse Venema wrote:
Depends on what you mean with "accurate".
I mean the locally maintained IP RBL. It is critical as this will be doing most of the rejection.
- With smtpd_delay_reject=yes, Postfix logs the client, helo, sender, and recipient.
With delays set to yes, it is really good to have that info but when SASL is used the rejection reason given out is authentication failed and that is where my concern is.
- With smtpd_delay_reject=no, Postfix will log a DNSBL 'reject' in smtpd_client_restrictions without any sender or recipient information. That makes it difficult to answer questions about "missing" email.
And when SASL is used with delays set to no, when the first reject happens, client is out so the very much wanted authentication info is delayed and that decreases the guessing possibilities extremely low and makes the attack close to impossible to ever succeed with proper RBL updating.
Lefteris
