OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: Can I improve the efficiency of my dnsbl reject configuration?

From: Noel Jones (njonesmegan.vbhcs.org)
Date: Fri Apr 27 2012 - 14:43:09 CDT


On 4/27/2012 2:12 PM, /dev/rob0 wrote:

> Postfix is going to do a reverse DNS lookup of any connecting client,
> followed by a forward lookup of the PTR name received.

These are done in the postfix/smtpd client.

> This is fine
> for most sites. Small sites can save some of this using postscreen,
> which merely does a few cheap and fast checks without the PTR/A(AAA)?
> lookups.

postscreen does no DNS lookups other than user-defined dnsbl/dnswl.

>
> It sounds like Bron's patch is to do a client local blacklist lookup
> beforehand.
>
> Fastmail.fm might be too big to benefit from postscreen,

That's unclear. cidr tables should scale very well to a couple
hundred thousand entries. For millions of entries maybe memcache
would help.

Testing would be required to see what's feasible. It's imperative
that postscreen table lookups be extremely fast, since that's the
postscreen choke point.

Postfix becomes unusable when the access table and/or cache lookup
delay gets high enough to throttle incoming mail.

> but you are
> probably not. :) Your best answer, as discussed upthread, is to use
> postscreen.

Indeed.

  -- Noel Jones