On Sat, Jul 15, 2017 at 10:30:25AM -0700, techlist06 wrote: > I'm converting to use postscreen. I have a question about dnsbl's > in postscreen vs smtpd_recipient_restrictions > > Following threads here and a git by Steve Jenkins I was going to > start with this for postscreen: > > postscreen_dnsbl_sites = > zen.spamhaus.org*3
This looks similar to my own config, from which I think Steve adapted his. I presume therefore that you're using a threshold of 3? > bl.mailspike.net*2 > b.barracudacentral.org*2 > bl.spameatingmonkey.net > bl.spamcop.net > dnsbl.sorbs.net > psbl.surriel.com > swl.spamhaus.org*-4 SWL is no longer active; the zone has been emptied. > list.dnswl.org=127.0.[2..15].0*-2 > list.dnswl.org=127.0.[2..15].1*-3 > list.dnswl.org=127.0.[2..15].[2..3]*-4 > wl.mailspike.net=127.0.0.[17;18]*-1 > wl.mailspike.net=127.0.0.[19;20]*-2 > > I had my smtpd_recipient_restrictions RBLs as: > ... > reject_rbl_client zen.spamhaus.org=127.0.0.[2..255], > reject_rhsbl_client dbl.spamhaus.org=127.0.1.[2..99], > reject_rhsbl_sender dbl.spamhaus.org=127.0.1.[2..99], > reject_rhsbl_helo dbl.spamhaus.org=127.0.1.[2..99], > reject_rbl_client bl.spamcop.net > reject_rbl_client psbl.surriel.com I would not use those two to reject outright. If you wanted to do that, why not just increase their postscreen scoring to 3? > reject_rbl_client cbl.abuseat.org, While there can be occasional slight lag between XBL (part of Zen) and CBL, that's not significant. You already have this query, in effect, through the Zen lookup. > I've seen in other threads configs that left some but not all rbl's > in their smtpd_recipient_restrictions. If I'm going to reject no > matter what at smtpd_recipient_restrictions, it seems I should give > that rbl a high score in postscreen checks and not do the second > check in smtpd_recipient_restrictions? I understood that the > second lookup is "free" since it's cached, but is there any > advantage/disadvantage to having both? Advantages: - Second chance in case of slow DNS response to dnsblog(8) - Second chance in case a Zen-listed host was on one of your DNS whitelist queries (these should be rare, and I think the popular DNSWL services check Zen against their own lists.) Disadvantage: - The tiny time and CPU expenditure of the second, cached lookup > Any advise appreciated. It really can't hurt to leave it enabled, if it's a DNSBL you considered worthy to use to block outright. I would, however, advise you to remove the PSBL and spamcop smtpd restrictions. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
