On 27 Apr 2012, at 16:55, kar...@mailcan.com wrote:
In the end it's getting blocked, and that's what I want. But, if I
understand how this works, every one of those rejects is a DNS check
to
spamhaus, and some postfix load on my server.
Can I somehow configure to be more efficient about this? Maybe
somehow
cache the rejected IP for 15mins or something?
The info will already be cached at your local DNS server. So you've
already got this check about as efficient as it could possibly be. DNS
lookups for info a name server already holds are pretty much the
fastest and most lightweight operations possible.
When postfix checks an IP address in Spamhaus's RBL, it sends a DNS
lookup to your local name server which in turn queries one of the
Spamhaus name servers. Your local name server will remember that
answer for a while. [A positive entry in the Spamhaus RBL -- "this
address is a spam source" -- is cached by your name server for 15
minutes. A negative one -- "this address is not a spam source" -- is
cached for 2.5 minutes. Spamhaus decide these TTL (time to live)
values, not you.] So when postfix gets a second connection from the
same IP address, it does a local DNS lookup, the local name server
gets a cache hit and returns that answer without having first to query
the Spamhaus name servers again.
When the data expires from the local name server's cache, it will of
course have to query the Spamhaus name servers. There are interesting
trade-offs here. Longer TTLs can mean more frequent hits in the local
name server's cache because the data live there for longer. OTOH, this
could mean stale data gets to stay in the cache for too long: ie the
local name server's remembering a "good" IP address that has just gone
bad or vice versa.
I'll first ask how to do this without postscreen.
postscreen is not the answer anyway. This is likely to be far, far
more expensive than a DNS lookup. So don't do that. :-)
My advice is to leave this alone. It's already working at maximum
efficiency pretty much straight out of the box and there are no
meaningful postfix (or DNS) configuration tweaks which could make
things even faster.
