Hello all, Since till now i was using postfix 2.5 i am planning to upgrade to 2.8 because i see 2 major feature multi -instance and postscreen can any one give me with example of an ideal conguration .
Regards, Kshitij On Sun, Jun 5, 2011 at 7:51 PM, Wietse Venema <wie...@porcupine.org> wrote: > /dev/rob0: > > Jun 5 01:50:46 cardinal postfix/postscreen[15628]: CONNECT from > > [174.37.3.121]:33695 to [216.23.247.74]:25 > > Jun 5 01:50:52 cardinal postfix/postscreen[15628]: PASS OLD > > [174.37.3.121]:33695 > > Jun 5 01:50:52 cardinal postfix/smtpd[15816]: connect from > > 174.37.3.121-static.reverse.softlayer.com[174.37.3.121] > > Host connects 01:50:46, postscreen logs "PASS OLD" at 01:50:52 and > hands off the connection to smtpd. The six-second pause suggests > that postscreen_greet_ttl (1d) expired (according to "postconf -n" > your postscreen_mumble_ttl settings haven't changed). > > > Jun 5 01:50:53 cardinal postfix/postscreen[15628]: CONNECT from > > [174.37.3.121]:52927 to [216.23.247.78]:25 > > Jun 5 01:50:53 cardinal postfix/postscreen[15628]: WHITELIST VETO > > [174.37.3.121]:52927 > > > It was whitelisted 7 seconds ago. Could that have expired? > > What 7 seconds? the "PASS OLD" action was logged 01:50:52. The > new connection is made 01:50:53. > > Each postscreen test has its own TTL. Different tests have different > costs (for sender and receiver), and therefore different tests > expire at different times. > > You have the following time-dependent tests enabled: > > postscreen_bare_newline_action = enforce > postscreen_dnsbl_action = enforce > postscreen_greet_action = enforce > > Their expiration times are: > > postscreen_bare_newline_ttl = 30d > postscreen_dnsbl_ttl = 1h > postscreen_greet_ttl = 1d > > Clearly, they don't expire at the same time. > > The Postfix verify(8) daemon avoids client-visible delays by sending > a new probe before a result expires (it has separate _refresh and > _expire timing parameters). > > That trick does not work with postscreen. postscreen does not have > separate _refresh and _expire settings because many postscreen > tests are client-visible. For example, postscreen_greet is visible > (6 seconds delay), postscreen_dnsbl almost invisible (less than 1 > second, usually) and postscreen_bare_newline means the client gets > 4XX replies if it passes the test. So, in the majority of tests it > is not possible to refresh a test without client-visible delays. > > When a test has expired, postscreen could refresh all unexpired > tests that will expire soon. For example, all tests that will expire > within one TTL of the expired test, or all tests that will expire > within one hour. This will not necessarily reduce the amount of > client-visible delays, but it will reduce the WHITELIST VETO logs. > > Wietse >
