Prompted by the "gmail servers requiring postscreen_access whitelisting" thread I looked at
http://www.postfix.org/postscreen.8.html.
There is an erroneous (right??) double negative:
> The optional "after 220 server greeting" tests involve postscreen(8)'s
> built-in SMTP protocol engine. When these tests succeed, postscreen(8)
> adds the client to the temporary whitelist, but it cannot not hand off
^^^^^^^^^^
> the "live" connection to a Postfix SMTP server process in the middle of
> a session. Instead, postscreen(8) defers attempts to deliver mail with
> a 4XX status, and waits for the client to disconnect. When the client
> connects again, postscreen(8) will allow the client to talk to a Post-
> fix SMTP server process (provided that the whitelist status has not
> expired). postscreen(8) mitigates the impact of this limitation by
> giving the "after 220 server greeting" tests a long expiration time.
Best,
Luke