On 17.08.2025 19:23, Bill Cole via Postfix-users wrote:
On 2025-08-17 at 10:39:36 UTC-0400 (Sun, 17 Aug 2025 16:39:36 +0200)
Peter Milesson via Postfix-users <[email protected]>
is rumored to have said:
[...]
My problem is, that there are some clients connecting at frequent
intervals (about 5 minutes) for days, or weeks on end. They display
non standard behavior, and do not pass the pregreet test, so I drop
the connection on them.
Even if the pregreet test fails, and the connection is dropped, a
dnsblog lookup is performed, which is evident from the log excerpt. I
don't know if the DNSBL results are cached, or if dnsblog contacts
the DNSBL servers for each new client connection.
DNS results are always cached. Postfix uses the system resolver, which
knows how to make DNS queries and how to use the TTL values that come
with every DNS answer. If you are using a local recursive caching
resolver (e.g. Unbound, BIND, PDNS-Resolver) it keeps records for as
long as the DNSBLs say they are valid.
If the pregreet test fails and the connection is dropped, getting
DNSBL results seems kind of pointless. If the DNSBL results are
cached, just a few CPU cycles are consumed. If the DNSBL servers are
contacted each time, it's a waste of resources (mostly for Spamhaus
and colleagues).
Right. This is why local recursive caching resolvers (NOT forwarders
like dnsmasq) have been a well-known best practice for mail systems
for decades. DNS cache hits in the same machine are trivial and they
are not much more expensive across a LAN, but they can be problematic
if you are a 50ms RTT to your resolver even if it's not the DNSBL
authorities.
We probably don't by far come near the daily Spamhaus limit, but it
would still be interesting to know, if the dnsblog lookups are
cached, or not.
DNS is cached by DNS resolvers. How near that caching is to your
Postfix instance is a question about your system configuration.
Hi Bill,
Thanks for the clarification.
It seems that I did not understood the concept completely. But it still
seems pointless to ask for data, when the connection already has been
dropped. I understand that it's a developers question, if it's worth the
trouble to implement something, if it's assumed that other parts of the
setup are sufficiently capable to make the difference unimportant. If
the connection was dropped, you just waste the time of the local DNS
resolver. In my case, I guess I don't need to worry. DNS resolution
performance was never a problem, as the local network, and local DNS
performance is completely satisfactory for our load.
Best regards,
Peter
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
