On 28 Nov 2015, at 16:16, Michael Grimm wrote:
Viktor Dukhovni <postfix-us...@dukhovni.org> wrote:
On Fri, Nov 27, 2015 at 09:26:20PM -0500, David Mehler wrote:
In particular can I eliminate the rbl checks in
smtpd_recipient_restrictions since they're going in the postscreen
setup?
Keep both.
Please ignore my ignorance, but: why would one keep both?
In addition to Noel's broadly applicable reason, it is possible to use
DNSBLs with significant FP risks in a careful way at multiple stages
(postscreen, RCPT, and content filtering) to mitigate heir risks. For
example, I use a couple of lists that are not alone enough to trigger a
postscreen rejection because I want to be able to exempt some recipients
(postmaster, abuse, etc.) from having them reject mail absolutely in
Postfix proper, as they do for most targets. Then in MIMEDefang, I make
policy rulings that Postfix can't to either reject a message or let
SpamAssassin render it's own judgment, both of which involve whether or
not the client IP is on either of those DNSBLs. Quadruple jeopardy, as
it were, since a piece of email has no civil rights. :)