The postconf(5) manual entry for postscreen_whitelist_interfaces includes this text:
"When postscreen(8) listens on both primary and backup MX addresses, the postscreen_whitelist_interfaces parameter can be used to disable whitelisting on backup MX addresses. With this configuration, postscreen(8) denies whitelisting status to clients that connect only to backup MX addresses, and prevents them from talking to a Postfix SMTP server process." The word "only" in there implies that the WHITELIST VETO does not occur if the host had already passed the after-220 tests on the primary MX IP address (that is, the addresses not excluded from postscreen_whitelist_interfaces.) It's making sense now, but I'm going to go ahead and post this for confirmation. The client is already whitelisted by having hit the regular IP address, so we'll accept mail from it on the excluded address[es]. Right? WHITELIST VETO only applies to hosts which are not already in the whitelist. This feature discussion came up when Wietse figured out the way to avoid the "greylisting" pain of the after-220 tests. Can this be added to the POSTSCREEN_README? -- Offlist mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header