>I would avoid unduly short postscreen cache times, that can lead to
>legitimate clients not getting through at all.
On Fri, Dec 13, 2019 at 05:40:33PM +0100, Matus UHLAR - fantomas wrote:
I'm not sure if that would help. Apparently, both postscreen and smtpd will
use the same nameserver for dnsbl lookup, and if it's cached from previous
postscreen lookup, it will probably give the same result.
On 13.12.19 16:19, Viktor Dukhovni wrote:
The negative TTLs on SpamHaus RBL replies are not very long:
zen.spamhaus.org. 10 IN SOA need.to.know.only. hostmaster.spamhaus.org.
1912132118 3600 600 432000 10
presently just 10 seconds.
the time difference between postscreen blacklist check and smtpd blacklist
check should be lower than 10 seconds.
yes, with postscreen_dnsbl_min_ttl there's another ~50 seconds where
potscreen passes the IP while smtpd would blacklist it.
However, I consider postscreen's weighed black/whitelisting more safe
than whitelisting/blacklisting at smtpd level
maybe unless there's exactly one whitelist and one blacklist used.
of course, I'm willing to learn if there's something I have missed
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Your mouse has moved. Windows NT will now restart for changes to take
to take effect. [OK]
