On 1/31/2012 4:36 AM, Mark Alan wrote: > On Mon, 30 Jan 2012 19:17:17 -0500 (EST), Wietse Venema > <wie...@porcupine.org> wrote: >> Mark Alan: >>>>> Would the following be an acceptable way to do it? >>>>> postconf -e 'postscreen_access_list = reject' >>>>> postconf -e 'soft_bounce = yes' >>>> >>>> Only if this is documented. The soft_bounce parameter is listed on >>>> the postscreen(8) manpage, this is perhaps a sufficient promise to >>>> match user expectations and so I would expect it to work. >>> >>> Sadly it does not. >>> Although postscreen marks it as BLACKLISTED, then tlsproxy kicks in >>> and lets the email pass: >>> >> >> Only because you failed to configure "postscreen_blacklist_action = >> drop". >> >> Wietse > > Not exactly a failure, as doing so would instruct postscreen to simply > DISCONNECT (i.e., drop the connection immediately). In which case a > single 'master_service_disable = inet' would be more elegant and > similarly effective. > > My question should have been: > Using only the frugal postscreen resources is there a way to achieve > something like 'postscreen_blacklist_action = defer' , i.e., to > configure it to immediately NOQUEUE all connections with a 450 SMTP > reply? > > Thank you, > > M.
You need to set both "postscreen_blacklist_action = drop" and "soft_bounce = yes". The soft_bounce changes the 521 hangup into a 421 hangup. Alternately, you can use "postscreen_blacklist_action = enforce" with "soft_bounce = yes". This delays the 450 reject until the client sends recipient information. http://www.postfix.org/postconf.5.html#postscreen_blacklist_action http://www.postfix.org/postconf.5.html#soft_bounce -- Noel Jones
