[pfx] Re: BUG: Postfix deals badly with corrected-typo in aliases :(

Fri, 25 Aug 2023 19:30:30 -0700 

On Fri, Aug 25, 2023 at 08:07:01PM -0600, Pete Holzmann via Postfix-users wrote:

> SUMMARY
> 
> * Scenario/repeatability: 
>    - See www.postfix.org/ADDRESS_VERIFICATION_README.html#caching
>    - Since Postfix 2.7, there's a persistent verification database.

Actually, there isn't, or, more precisely, it isn't actually used by
default.  You have to choose to enable recipient verification, and if
you do, you have read the fine documentation on address verification,
including the documentation on the cache TTLs in:

    http://www.postfix.org/verify.8.html

which is referenced from, e.g.

    http://www.postfix.org/ADDRESS_VERIFICATION_README.html#dirty_secret

and various other sections.

>    - By default, all failed probes (even of local/aliases) expire after 
>    three days.

As documented, but there should also be a background refresh every 3
hours, so that the second try 3h after correcting the problem, will
succeed:

    address_verify_negative_expire_time = 3d
    address_verify_negative_refresh_time = 3h
    address_verify_positive_expire_time = 31d
    address_verify_positive_refresh_time = 7d

>    - Workaround: postfix stop; rm $data_directory/verify_cache.db; 
>    postfix start

Tune the settings to your needs.  There's no need to remove the
database.  That also wipes your positive cache results.

>    - This is a very non-intuitive implementation, and very difficult for 
>    an average admin to diagnose: no information points to the 
>    verification cache.

Only if you haven't read the documentation.

>    - Having examined the (verify.c) code, I realize a 'nice' solution 
>    (clear cache of local address entries after newaliases) isn't that 
>    simple. Someone with more experience can likely design a proper fix.

Reading the code is not necessary.  Just the documentation is
sufficient.

> * Suggestions
>    - At the very least, this needs to be highlighted in documentation 
>    for newaliases etc

No, newaliases have nothing to do with this.  This is entirely material
for ADDRESS_VERIFICATION_README and verify(8), but perhaps the timer
parameters could be also mentioned prominently in the README file.

-- 
    Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Reply via email to