Loading ...
Sorry, an error occurred while loading the content.

292522[feature request] Subzero postscreen/dnsblog score to bypass after-220 tests?

Expand Messages
  • /dev/rob0
    Apr 11, 2013
    • 0 Attachment
      I finally got around to my upgrade to 2.11-20130405 and was watching
      logs. A gmail message fell afoul of the after-220 tests; each time it
      came from a different host. Each one got a "PASS NEW" and of course
      the "450 4.3.2 Service currently unavailable" rejection.

      These gmail outbounds are all listed in list.dnswl.org as 127.0.5.1,
      and I give that a negative score in my postscreen_dnsbl_sites. So
      with no offsetting DNSBL scores, these hosts all got a subzero score.
      It would be nice if we could put those whitelist scores to work, and
      not have to maintain so big of a postscreen_access_list whitelist.

      This has been a common concern among the new postscreen users I have
      talked to. Gmail in particular is troublesome with after-220 because
      they never try the lower priority MX on the same host. The first
      attempt was at 03:00 UTC tonight, the last one (of 8) was 05:45, just
      a few minutes ago, and I still apparently haven't got all the gmail
      outbounds whitelisted. :(

      So here's my idea (I think the parameter names are lousy, but it's
      the best I could come up with this late at night):


      """
      postscreen_after_220_bypass_enable (default: no)

      Allow a remote SMTP client with a score less than or equal to
      postscreen_after_220_bypass_threshold based on its combined
      DNSBL score as defined with the postscreen_dnsbl_sites
      parameter, to bypass the after-220 tests, if enabled. Those
      tests include postscreen_bare_newline_enable,
      postscreen_non_smtp_command_enable, and
      postscreen_pipelining_enable.

      If enabled, this means that whitelisted hosts would get to
      talk directly to a real Postfix SMTP server, if all other
      pre-220 tests are passed. For examples, see the
      POSTSCREEN_README.

      This feature is available in Postfix 2.11.

      postscreen_after_220_bypass_threshold (default: -1)

      The inclusive upper bound for allowing a remote SMTP client,
      based on its combined DNSBL score as defined with the
      postscreen_dnsbl_sites parameter, to bypass the after-220
      tests, if those tests are enabled and the
      postscreen_after_220_bypass_enable parameter is "yes".

      This feature is available in Postfix 2.11.
      """

      For reference, my postscreen settings are online here:
      http://rob0.nodns4.us/postscreen.html
      (I'm planning to maintain that page as an example configuration.)

      Some questions remain: will the whitelist result give these hosts an
      entry in the after-220 databases? Or would the pre-220 DNSBL test be
      done every time?
      --
      http://rob0.nodns4.us/ -- system administration and consulting
      Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
    • Show all 9 messages in this topic