Hi,
I like what I see in postscreen and am considering using some of the
after 220 tests. The issue I have in doing so is that the only
documented option for sharing postscreen_cache_map across servers is to
use memcache and memcache over wan will introduce way too much latency
from the looks of things. So I had an idea to accomplish this that I
wanted to run by the list to help assess feasibility. I wrote a small
perl script to read the btree postscreen_cache_map file, from there,
here is what would happen:
* The script would read new entries (only entries that passed the
applicable after 220 tests) in on cron (maybe every other minute)
* It would send these new values to a central server which would
receive all entries from all mail servers
* These addresses would be loaded into a rbldns program which would
publish them via DNS
* Each mail server (via postscreen config) would check the central RBL
via postscreen_dnsbl_sites and I would configure this specific RBL
as a whitelist with a -1 score
* Each postscreen instance would be configured with
postscreen_dnsbl_whitelist_threshold = -1
Therefore, once a given client passed these after 220 tests on one
postfix server, that IP would be in the whitelist within minutes -
thereby removing the need to retest in the event the client retries on a
different server. The exception would be if the client triggered some
RBLs but not enough to hit postscreen_dnsbl_threshold - in this case,
they would be retested again for after 220 tests if the client retried
on a different server - which may not be so bad if they are listed in a RBL.
General thoughts on this plan as a means to share postscreen cache over
wan? Any problems that come to mind?
Finally, any comments as to which after 220 tests are most effective
with least false positives? I assume pipelining and non-smtp commands
are most effective and have the least false positives compares to
barenewline?
Michael
