The postconf(5) manual entry for postscreen_whitelist_interfaces
includes this text:
"When postscreen(8) listens on both primary and backup MX addresses,
the postscreen_whitelist_interfaces parameter can be used to disable
whitelisting on backup MX addresses. With this configuration,
postscreen(8) denies whitelisting status to clients that connect only
to backup MX addresses, and prevents them from talking to a Postfix
SMTP server process."
The word "only" in there implies that the WHITELIST VETO does not
occur if the host had already passed the after-220 tests on the
primary MX IP address (that is, the addresses not excluded from
postscreen_whitelist_interfaces.)
It's making sense now, but I'm going to go ahead and post this for
confirmation. The client is already whitelisted by having hit the
regular IP address, so we'll accept mail from it on the excluded
address[es]. Right? WHITELIST VETO only applies to hosts which are
not already in the whitelist.
This feature discussion came up when Wietse figured out the way to
avoid the "greylisting" pain of the after-220 tests. Can this be
added to the POSTSCREEN_README?
--
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header
