On 12/11/2014 15:53, Wietse Venema wrote:
Birta Levente:
Just curiosity: it's not unwanted to check postscreen_dnsbl for an IP
which is blacklisted in postscreen_access_list?
Note: don't use no double negatives.
Wietse:
That would be a waste of Postfix resources. It would make Postfix less
resistant against abuse from a known-bad netblock.
Birta Levente:
I'm sorry..not sure if understand: would be a waste of resources to not
check dnsbl even if is already blacklisted?
In fact, the action is configurable.
postscreen_blacklist_action (default: ignore)
The action that postscreen(8) takes when a remote SMTP client is perma-
nently blacklisted with the postscreen_access_list parameter. Specify
one of the following:
ignore (default)
Ignore this result. Allow other tests to complete. Repeat this
test the next time the client connects. This option is useful
for testing and collecting statistics without blocking mail.
enforce
Allow other tests to complete. Reject attempts to deliver mail
with a 550 SMTP reply, and log the helo/sender/recipient infor-
mation. Repeat this test the next time the client connects.
drop Drop the connection immediately with a 521 SMTP reply. Repeat
this test the next time the client connects.
For maximal resistance use "drop". To learn what mail is blocked,
use "enforce".
Wietse
Many thanks!
--
Levi
