postscreen with postgrey - can they cause a double reject?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

postscreen with postgrey - can they cause a double reject?

techlist06
- postscreen with postgrey - can they cause a double reject?

I searched for answers regarding using both postscreen and greylisting.  I
saw some differing opinions.  But I did not see this point covered.

Assuming a clients first connection to me to deliver and
Assuming that postscreen is configured for deep protocol tests, and the
connection passes all tests.

I understand postscreen will temporary whitelist the IP but the client must
reconnect in order to deliver.  

On that second connection, postscreen hands off to postfix due to the
temporary whitelist.

If I have greylisting configured, as I have done it in the past in main.cf:

      smtpd_recipient_restrictions
          ...
          check_policy_service unix:postgrey/socket
          permit

Won't this second connection get temp rejected by my normal greylisting a
second time?  The regular greylisting won't know about the postscreen's
recent pass.  So won't the client would have to connect for a 3rd time to
deliver?

That would seem to me to be an argument against using both, or at least
using both with postscreen's deep protocol tests enabled.

I'd be grateful to be straightened out if I have it wrong.  







Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: postscreen with postgrey - can they cause a double reject?

/dev/rob0
On Fri, Jul 07, 2017 at 05:18:49PM -0500, techlist06 wrote:
> - postscreen with postgrey - can they cause a double reject?

Reject, no; deferral, of course yes.

> I searched for answers regarding using both postscreen and
> greylisting.  I saw some differing opinions.  But I did not
> see this point covered.

My opinion is that postscreen is a much better greylisting-like
implementation.  I do not recommend other greylisting now (and this
opinion dates back many years.)

> Assuming a clients first connection to me to deliver and
> Assuming that postscreen is configured for deep protocol tests,
> and the connection passes all tests.
>
> I understand postscreen will temporary whitelist the IP but the
> client must reconnect in order to deliver.

Yes, but see:

http://www.postfix.org/postconf.5.html#postscreen_dnsbl_whitelist_threshold

Most legitimate senders are listed in the DNSWL.org whitelist.
Clients in that list (without offsetting DNSBL listings, which have
been very rare) bypass postscreen's delaying behavior.

> On that second connection, postscreen hands off to postfix
> due to the temporary whitelist.

Postscreen IS Postfix; it hands off to smtpd(8).

> If I have greylisting configured, as I have done it in the
> past in main.cf:
>
>       smtpd_recipient_restrictions
>  ...
>  check_policy_service unix:postgrey/socket
>  permit
>
> Won't this second connection get temp rejected by my normal
> greylisting a second time?  The regular greylisting won't know
> about the postscreen's recent pass.  So won't the client would
> have to connect for a 3rd time to deliver?
>
> That would seem to me to be an argument against using both, or

Correct.

> at least using both with postscreen's deep protocol tests
> enabled.
>
> I'd be grateful to be straightened out if I have it wrong.  

Just stick with postscreen's deep protocol tests.  Greylisting won't
block anything that got through postscreen's delay.  All pain, no
gain, with greylisting behind postscreen.
--
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: postscreen with postgrey - can they cause a double reject?

techlist06
Thank you for the expert input.  I will heed your advise.

Scott

Loading...