Il 2017-09-27 18:40 Reindl Harald ha scritto:
it's trivial, just give the primary MX the IP auf the backup-MX as
alias and if you are at it enable "postscreen_dnsbl_sites" and
"postscreen_greet_action" - after that your smtpd process only faces
a
few percent of all spam at all
I've read from http://www.postfix.org/POSTSCREEN_README.html#white_veto
and if I've understand well, this is what happen:
1) Postcreen should only be activated on the primary
2) When the primary MX is up it refuse to whitelist clients that
connect to a backup MX address only (so no anymore email come from
secondary MX)
3) When the primary is down the secondary became whitelist and receive
email
4) When the primary MX come back, the secondary send queued email from
secondary to primary MX
Regarding the configuration:
OK
main.f:
postscreen_dnsbl_action = enforce
postscreen_greet_action = enforce
postscreen_greet_wait = ${stress?2}${stress:10}s
postscreen_whitelist_interfaces = !<ip-of-backup-max>, static:all
My master.cf (for both server are the same):
smtp inet n - - - - smtpd
#smtp inet n - - - 1 postscreen
#smtpd pass - - - - - smtpd
#dnsblog unix - - - - 0 dnsblog
#tlsproxy unix - - - - 0 tlsproxy
Should be enough uncomment "postscreen"?
smtp inet n - - - - smtpd
smtp inet n - - - 1 postscreen
#smtpd pass - - - - - smtpd
#dnsblog unix - - - - 0 dnsblog
#tlsproxy unix - - - - 0 tlsproxy
master.cf:
smtp unix - - n - 50 smtp
smtpd pass - - n - 15 smtpd
smtp inet n - y - 1
postscreen
dnsblog unix - - y - 0 dnsblog
OK
main.cf:
postscreen_dnsbl_min_ttl = 30s
postscreen_dnsbl_max_ttl = 30s
postscreen_dnsbl_threshold = 8
postscreen_dnsbl_sites =
dnsbl.sorbs.net=127.0.0.10*9
[..]
many thanks Harald!
Davide
