Sahil Tandon put forth on 9/13/2010 8:31 PM: > On Mon, 2010-09-13 at 19:20:05 -0400, Matt Hayes wrote:
>> I've not had to use anything involving a DNSBL and a password before >> so just curious what I'm missing. > > That is probably because you do not pay for a DNSBL datafeed. :) In such > cases, the DNSBL domain name includes a secret key; dnsbl_reply_maps > prevent disclosure of that key to SMTP clients. For example: http://www.spamhaus.org/datafeed/ "The Spamhaus DNSBL Datafeed is a service for users with professional DNSBL query requirements, such as corporate networks and ISPs. It offers both a Query service and an Rsync service (you can choose)." The paid "Query" service mentioned above requires the Postfix feature you are asking about. It's an authentication mechanism. The Rsync service allows downloading the entire Spamhaus databases multiple times a day and hosting them on a local dns server or via an rbldnsd daemon on each MX. The latter is suitable for those such as big ISPs with massive mail flows, who cannot afford the latency of over the wire network based dnsbl queries. A remote dnsbl query can take anywhere from 20-200 milliseconds (or more) depending on number of hops and network conditions. A query to a local network dns server can take less than 1ms. A query to an rbldnsd daemon residing on the MX MTA host itself can occur in a few microseconds, as it is an interprocess communication occurring at the speed of system memory. This is the preferred method for some of the worlds busiest MTAs. All this performance comes at a cost: the rbldnsd method requires multiple gigabytes of system memory for the Spamhaus zone files alone. -- Stan
