Loading ...
Sorry, an error occurred while loading the content.

293214Re: Tweaking DNS timeouts

Expand Messages
  • Wietse Venema
    May 17 1:45 PM
    • 0 Attachment
      /dev/rob0:
      >
      > I guess this says that postscreen_dnsbl_action fires at the end of
      > the greet pause when postscreen_dnsbl_threshold is met, but
      > postscreen_dnsbl_whitelist_threshold is not calculated. Here's the

      [begin background material]

      I mis-understood how postscreen works (I do not constantly stare
      at Postfix source code, having other things to work on that pay the
      bills).

      I thought that the whitelist will be applied only when DNS lookups
      complete *before* the pregreet timer expires. That is,

      - When some DNS lookup is taking too long, no DNS score is available.

      This is consistent with how postscreen whitelisting works for non-DNS
      tests. It applies the whitelist threshold only when DNS lookup
      completes before the pregreet timer expires.

      However, the bullet above is incorrect. When soe DNS lookup takes
      too long, a DNS score is available, and the postscreen DNS blocking
      code uses that partial score.

      This is safe when there are only positive scores (if the partial
      client is already over the threshold then the client should be
      blocked even if some DNS results are not yet in).

      This is less safe when there may also be exculpatory evidence (in
      the form of DNSWL lookups). But, sites are usually not listed in
      both white and block lists.

      [end background material]

      I can change postscreen to also use partial scores for whitelisting
      of non-DNS tests, and thereby make whitelisting of non-DNS tests
      consistent with DNS-based blocking (that's one less WTF factor).
      This requires minor code duplication.

      Wietse
    • Show all 25 messages in this topic