My guess is that the 5.2-second null connections are significant. I
suspect that you can fix this without significantly damaging the
effect of the postscreen PREGREET test by reducing the wait time to
never exceed that 5.2 seconds, e.g.:
postconf -e 'postscreen_greet_wait = ${stress?{2}:{4}}s'
That will probably reduce your overall PREGREET rejections by <1%
but IF that is the cause of the null sessions from Briteverify, it
should fix them.
I've pulled back the postscreen delay per your suggestion and will test that.
Results of testing:
4s, no difference in end result, but different log entries:
May 23 09:41:55 emp87 postfix/postscreen[982010]: CONNECT from
[107.20.237.69]:57014 to [192.168.1.230]:25
May 23 09:41:55 emp87 postfix/dnsblog[982012]: addr 107.20.237.69
listed by domain hostkarma.junkemailfilter.com as 127.0.1.1
May 23 09:41:59 emp87 postfix/postscreen[982010]: PASS NEW
[107.20.237.69]:57014
May 23 09:42:00 emp87 postfix/smtpd[982879]: connect from
smtpout11.briteverify.com[107.20.237.69]
May 23 09:42:00 emp87 postfix/smtpd[982879]: lost connection after
CONNECT from smtpout11.briteverify.com[107.20.237.69]
May 23 09:42:00 emp87 postfix/smtpd[982879]: disconnect from
smtpout11.briteverify.com[107.20.237.69] commands=0/0
I thought Hmm that's interesting, dropped back to 6s... and got the
same reduced set of connection attempts.
May 23 09:43:24 emp87 postfix/postscreen[985482]: CONNECT from
[107.20.232.98]:60420 to [192.168.1.230]:25
May 23 09:43:25 emp87 postfix/dnsblog[985496]: addr 107.20.232.98
listed by domain hostkarma.junkemailfilter.com as 127.0.1.1
May 23 09:43:30 emp87 postfix/postscreen[985482]: PASS OLD
[107.20.232.98]:60420
May 23 09:43:30 emp87 postfix/smtpd[985542]: connect from
smtpout9.briteverify.com[107.20.232.98]
May 23 09:43:30 emp87 postfix/smtpd[985542]: lost connection after
CONNECT from smtpout9.briteverify.com[107.20.232.98]
May 23 09:43:30 emp87 postfix/smtpd[985542]: disconnect from
smtpout9.briteverify.com[107.20.232.98] commands=0/0
So same config as yesterday, but a different set of attempts.
Then I dropped to 3 seconds, and the validation passes:
May 23 09:44:44 emp87 postfix/postscreen[985956]: CONNECT from
[107.20.223.96]:57264 to [192.168.1.230]:25
May 23 09:44:44 emp87 postfix/dnsblog[985976]: addr 107.20.223.96
listed by domain hostkarma.junkemailfilter.com as 127.0.1.1
May 23 09:44:47 emp87 postfix/postscreen[985956]: PASS NEW
[107.20.223.96]:57264
May 23 09:44:47 emp87 postfix/smtpd[985992]: connect from
smtpout45.briteverify.com[107.20.223.96]
May 23 09:44:50 emp87 policyd-spf[986011]: prepend
Authentication-Results: mail.simonandkate.net; spf=pass (mailfrom)
smtp.mailfrom=origindata.com (client-ip=107.20.223.96;
helo=smtpout.briteverify.com; envelope-from=ad...@origindata.com;
receiver=si...@simonandkate.net)
May 23 09:44:50 emp87 postfix/smtpd[985992]: 1253660BA:
client=smtpout45.briteverify.com[107.20.223.96]
May 23 09:44:50 emp87 postfix/smtpd[985992]: disconnect from
smtpout45.briteverify.com[107.20.223.96] helo=1 mail=1 rcpt=1 quit=1
commands=4
So it looks like they are failing on delay - which is completely
stupid. Posting the results back here in case anyone else ever wonders
about the cowboys at briteverify.
I'm assuming a 50% reduction in postscreen delay may have an unwanted
impact on inbound spam :(
I'll see how it goes.
Thanks again Bill.
Simon
--
Simon Wilson
M: 0400 12 11 16
