NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2007-10

Re: Avoiding RBL checks upon graylisted mails

From: Listaccount (lst_hoe01kwsoft.de)
Date: Fri Oct 26 2007 - 08:17:23 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Zitat von Wietse Venema <wietseporcupine.org>:

> Zoltan Balogh:
>> Hello Everybody,
>>
>> on my Postfix I am using both Graylisting (using a Policy daemon) and
>> RBL checks. This is a snap from my config:
>> smtpd_recipient_restrictions =
>> permit_mynetworks,
>> permit_sasl_authenticated,
>> reject_unauth_destination,
>> check_policy_service inet:127.0.0.1:10031,
>> reject_rbl_client bl.spamcop.net,
>> reject_rbl_client cbl.abuseat.org,
>> reject_rbl_client zen.spamhaus.org
>>
>> My concern is that even when an email is graylisted (i.e.
>> "graylist=new"), it is passed to RBL checks. I assume this generates
>> many unnecessary DNS requests = unnecessary server load. What should I
>> do to avoid RBL checks upon graylisted emails?
>
> See: http://www.postfix.org/postconf.5.html#defer_if_permit
>
>> Here is an example of an RBL-blocked email already graylisted by a
>> Policy daemon:
>>
>> Oct 24 18:37:04 ns2 postfix/smtpd[21323]: connect from
>> unknown[201.240.250.45]
>> Oct 24 18:37:05 ns2 policyd: rcpt=163267, greylist=new,
>> host=201.240.250.45 (unknown), from=bubba-hadiapovda.com,
>> to=3dtkac-sadosomedomain.com, size=1713
>> Oct 24 18:37:05 ns2 postfix/smtpd[21323]: NOQUEUE: reject: RCPT from
>> unknown[201.240.250.45]: 554 5.7.1 Service unavailable; Client host
>> [201.240.250.45] blo
>> cked using cbl.abuseat.org; Blocked - see
>> http://cbl.abuseat.org/lookup.cgi?ip=201.240.250.45;
>> from=<Bubba-hadiapovda.com> to=<3dtkac-sadometamax.sk> proto=ESMTP
>> helo=<client-201.240.250.45.speedy.net.pe>
>> Oct 24 18:37:05 ns2 postfix/smtpd[21323]: disconnect from
>> unknown[201.240.250.45]
>
> This is exactly why defer_if_permit exists. It avoids the need for
> the client to come back again and then be rejected anyway.
>
> Wietse

I was under the impression that the OP is concerned the other way
around to only ask the RBLs after greylisting is passed and not submit
too many DNS queries for clients not retrying anyway.

This possible with the policy-server answering with 4xx-Code i guess..

Regards

Andreas

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]