>> patch is diff to postfix-2.8-20101206. >> any comments would be appreciated. > > Caution: > > - This code will access free memory (or worse, clobber memory that > is allocated for a different session) when the reverse lookup result > arrives AFTER postscreen has already closed the client connection.
I thought this would have done by calling event catcher ps_revname_request() with PS_CLEAR_EVENT_REQUEST() macro. and do this in ps_conclude() for force cancellation if the pending resolver is still alive. > Let me know when you have figured out: > > - Why postscreen should look up the client hostname at all. I saw your LISA '10 slide, and impressed, ... decide "it's a zombie" for single connections. To decide something for single connection, I thought we should collect information about the client as much as possible. On collecting, if the reverse name resolve failed or timed out, it itself is not so serious, we got just one condition, reverse name was UNKNOWN. (so that, a policy like "do not reject even if the client's name was unknown" may be required) Contrary, This implies we will be able to reject using reverse names when resolving are succeeded. > - How long postscreen should wait for client hostname lookup to > complete before or after whitelist/blacklist/before-220/after-220 > checks. I thought the dead line is end of the "deep protocol" tests. > - The impact of client hostname lookup on the number of dnsblog > processes, for the normal case and for the worst case. I assume that it adds 1 to DNSBL checking at worst. because in the postscreen process, reverse lookup opens one socket per session, and the number of dnsblog processes is the same as in normal and worst case. > - The impact of client hostname lookup on postscreen latency for > legitimate clients, for the normal case and for the worst case. I thought there is no extra latency if the cancellation of the client name lookup could work on appropriate timing. When we have some extra checks using the client names, they are other things. > - The impact of client hostname lookup on postscreen latency for > zombie clients, for the normal case and for the worst case. same as above. but for the reference, in my environment, typical lookup times (the names not on the cache DNS(djb's dnscache)) for the clients that has reverse name: 300 ~ 1000 ms. clients with mis-configured DNS(SERVFAIL or worst): 1000 ms. ~ resolve timeout. DNSBL checkings are typicaly shorter, 50 ~ 300 ms. b.barracudacentral.com 280 ~ 1100 ms. zen.spamhaus.org if the names on the cache, 0 ~ 1 ms, of course. Thanks, -- Tomo.
pgp3ro2D5wIzw.pgp
Description: PGP signature
