postscreen delay inprovement - multple IP addresses

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

postscreen delay inprovement - multple IP addresses

techlist06
I'm working on converting to using postscreen.  Studying the details.  I
have a question from the docs related to the delays due to the effective
greylisting caused by "Tests after the 220 SMTP server greeting".  I believe
my server would qualify as a small site receiving mail for just a few
hundred users.

Snippet from the Howto:
" The following measures may help to avoid email delays:   Small sites:
Configure postscreen(8) to listen on multiple IP addresses, published in DNS
as different IP addresses for the same MX hostname or for different MX
hostnames. This avoids mail delivery delays with clients that reconnect
immediately from the same IP address.

Can someone help me understand why this helps?  If I add an IP to the server
and configure it as a second instance of the MX hostname, how does that help
with a server that may reconnect from a different IP?  I though tthat if it
reconnected immediately from the same IP, that would be a good thing.  Or
maybe I misunderstood "immediately".  I took it to mean immediately after
getting a 4xx response and drop.  I assume this doesn't do anything to help
with servers like Google that will connect from a different server?

Anyway, I'd apprecaite it if someone could elaboate so I understand this
detail.

Thank you, Scott




Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: postscreen delay inprovement - multple IP addresses

Wietse Venema
techlist06:

> I'm working on converting to using postscreen.  Studying the details.  I
> have a question from the docs related to the delays due to the effective
> greylisting caused by "Tests after the 220 SMTP server greeting".  I believe
> my server would qualify as a small site receiving mail for just a few
> hundred users.
>
> Snippet from the Howto:
> " The following measures may help to avoid email delays:   Small sites:
> Configure postscreen(8) to listen on multiple IP addresses, published in DNS
> as different IP addresses for the same MX hostname or for different MX
> hostnames. This avoids mail delivery delays with clients that reconnect
> immediately from the same IP address.

Note, this recommendation applies to clients that reconnect from
the same IP address.

> Can someone help me understand why this helps?

The postscreen temporary whitelist is by client IP address.

> If I add an IP to the server and configure it as a second instance
> of the MX hostname, how does that help with a server that may
> reconnect from a different IP?

Note, the above recommendation applies to clients that reconnect
from above recommendation does not apply.

> I though tthat if it
> reconnected immediately from the same IP, that would be a good thing.  Or
> maybe I misunderstood "immediately".  I took it to mean immediately after
> getting a 4xx response and drop.  I assume this doesn't do anything to help
> with servers like Google that will connect from a different server?

Note, the abive recommendation applies to clients that reconnect
from the same IP address. If still applies when different servers
share the same external (NAT) IP address.

        Wietse
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: postscreen delay inprovement - multple IP addresses

Noel Jones-2
In reply to this post by techlist06
On 7/7/2017 4:34 PM, techlist06 wrote:

> I'm working on converting to using postscreen.  Studying the details.  I
> have a question from the docs related to the delays due to the effective
> greylisting caused by "Tests after the 220 SMTP server greeting".  I believe
> my server would qualify as a small site receiving mail for just a few
> hundred users.
>
> Snippet from the Howto:
> " The following measures may help to avoid email delays:   Small sites:
> Configure postscreen(8) to listen on multiple IP addresses, published in DNS
> as different IP addresses for the same MX hostname or for different MX
> hostnames. This avoids mail delivery delays with clients that reconnect
> immediately from the same IP address.
>
> Can someone help me understand why this helps?  If I add an IP to the server
> and configure it as a second instance of the MX hostname, how does that help
> with a server that may reconnect from a different IP?  I though tthat if it
> reconnected immediately from the same IP, that would be a good thing.  Or
> maybe I misunderstood "immediately".  I took it to mean immediately after
> getting a 4xx response and drop.  I assume this doesn't do anything to help
> with servers like Google that will connect from a different server?
>
> Anyway, I'd apprecaite it if someone could elaboate so I understand this
> detail.
>
> Thank you, Scott
>
>
>
>

Using multiple MX hosts doesn't help with sites that retry from a
different IP.

To automatically handle many of those sites, use list.dnswl.org in
your list of postscreen_dnsbl_sites with a negative value, and
postscreen_dnsbl_whitelist_threshold = -1.  Listed mailers will then
skip the after 220 tests completely with no further action on your part.
http://www.postfix.org/postconf.5.html#postscreen_dnsbl_whitelist_threshold
https://www.dnswl.org/

Simple example:
# main.cf
postscreen_dnsbl_sites =
  zen.spamhaus.org
  list.dnswl.org*-1
postscreen_dnsbl_threshold = 1
postscreen_dnsbl_whitelist_threshold = -1



There's also the postwhite project, which populates the postscreen
access list with known MTAs from large providers by mining their SPF
records.
https://github.com/stevejenkins/postwhite



  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: postscreen delay inprovement - multple IP addresses

techlist06
Thanks guys, I understand now.  Much appreciated.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: postscreen delay inprovement - multple IP addresses

techlist06
In reply to this post by techlist06
re "IP addresses, published in DNS as different IP addresses for the same MX hostname or for different MX
hostnames. This avoids mail delivery delays with clients that reconnect immediately from the same IP address. "

I understand now this had nothing to do with improving systems that (re)connect from different IPs.  

Hopefully not too elementary of a question.... I would like to understand how it helps for clients reconnecting immediately from the same IP.  Will such a client immediately retry on the next available DNS configured MX (if available) vs. some other delay to retry on the same IP?  As if the primary was considered unavailable so it immediately tries the secondary?  That would be great presuming the undesirables don't.

Thanks again, Scott

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: postscreen delay inprovement - multple IP addresses

Noel Jones-2
On 7/8/2017 2:54 PM, techlist06 wrote:
> Will
> such a client immediately retry on the next available DNS configured MX (if
> available)

Yes, many senders will immediately try the secondary MX if the
primary gives a temporary error.  If you have one MX, most senders
will delay some time before a retry.


> That
> would be great presuming the undesirables don't.
>

Most clients -- good and bad -- that get a deferral from the primary
will try the secondary.  Some bad clients will try the secondary
first.
http://www.postfix.org/POSTSCREEN_README.html#white_veto


  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: postscreen delay inprovement - multple IP addresses

techlist06
> http://www.postfix.org/POSTSCREEN_README.html#white_veto

Noel.  I had read that section of the manual but it didn't sink in.  Now I get it perfectly.  Thanks again, much appreciated.  

Loading...