On 02/10/2011 04:59 PM, Wietse Venema wrote:
Craig Waddington:
Hi,
I am trying out the postscreen server - and am very impressed so far. My
original interest was in greylisting - so I have the deep protocol tests
turned on so that the temporary failure code 45x is returned for
non-whitelisted clients.
During my testing - I noticed that the small trickle of spam that still
makes it past postscreen reattempts immediately after a 45x with no
delay, whereas genuine mail will wait at least a few minutes before
reattempting after a 45x.
So - my question - do we know if it will be possible to enforce a delay
after the 45x before a reconnect is accepted? I have seen references to
a postcreen_greylist_threshold parameter in a postscreen strawman
document, and am wondering whether this, or some other configuration
will allow the exclusion of clients who respond instantly to a 45x?
To greylist, see: http://www.postfix.org/SMTPD_POLICY_README.html
On th eother hand, making the "PASS NEW" event a trigger for a
penalty time should require little new code. I added support for
"penalty time" late last year but it is currently unused for lack
of a "trigger" mechanism. Penalty time means the client gets 4xx
replies until the penalty time expires.
Penalty time after "PASS NEW" is a relatively crude mechanism
compared to real greylisting, but it might do the job.
If the penalty response is also a 4xx, it sounds to me exactly the same
as that aspect of greylisting - except that greylisting can choose to
permanently whitelist clients that passed.
In fact, since the RFC says that clients MUST wait before retrying after
a 4xx response, wouldn't postscreen be warranted to send a 5xx if it
doesn't wait?
OTOH, if the suspected spam client ignores the RFC for 4xx responses, I
guess it would be naive to expect it to obey the 5xx response; it could
just retry and retry and consume resources until something stops it.
--
J.
