Title: Re: postscreen_dnsbl_sites precedence
Saturday, March 12, 2022, 2:37:15 AM, Matt Saladna wrote:
|
Hello,
When specifying a range of responses to ignore in postscreen_dnsbl_sites it appears that if a weight is zero it is ignored in favor of a non-zero weight.
mail_version=3.5.9
mail_release_date = 20210117
postscreen_dnsbl_sites=zen.spamhaus.org=127.255.255.[252;254;255]*0 zen.spamhaus.org*2
This produces a result as follows,
Mar 11 10:22:37 epsilon postfix/postscreen[2766]: CONNECT from [38.107.100.92]:52538 to [64.22.68.41]:25
Mar 11 10:22:37 epsilon postfix/dnsblog[2767]: addr 38.107.100.92 listed by domain zen.spamhaus.org as 127.255.255.254
Mar 11 10:22:43 epsilon postfix/postscreen[2766]: DNSBL rank 2 for [38.107.100.92]:52538
Mar 11 10:22:43 epsilon postfix/tlsproxy[2775]: CONNECT from [38.107.100.92]:52538
Mar 11 10:22:43 epsilon postfix/postscreen[2766]: NOQUEUE: reject: RCPT from [38.107.100.92]:52538: 550 5.7.1 Service unavailable; client [38.107.100.92] blocked using zen.spamhaus.org; from=<x@y>, to=<a@b>, proto=ESMTP, helo=<p2-100092.mail.shape.com>
Mar 11 10:22:43 epsilon postfix/postscreen[2766]: DISCONNECT [38.107.100.92]:52538
Mar 11 10:22:43 epsilon postfix/tlsproxy[2775]: DISCONNECT [38.107.100.92]:52538
From the documentation, |
|
- When one postscreen_dnsbl_sites entry produces multiple DNSBL responses, postscreen(8) applies the weight at most once.
Following this behavior, I would expect postscreen_dnsbl_sites to match once either left-to-right or from most specific to least specific if a DNSBL site is listed multiple times such that zen.spamhaus.org=127.255.255.1 has precedence over zen.spamhaus.org=127.255.255.[0..255] has precedence over zen.spamhaus.org.
- Matt |
Should the 127.255.255.[0..255] return codes really be weighted
zero, given that they indicate an error? With .254 being use of
a public/open resolver:
https://www.spamhaus.org/faq/section/DNSBL%20Usage#200
--
Cheers,
Phil
|
