Steffen Nurpmeso wrote in <20220407172531.ty1l8%stef...@sdaoden.eu>: ... |The next release (whenever it happens) will have the additional |manual sentence | | Graylisting defers message acceptance a configurable number of | times via a standardized SMTP response (see RFC 5321, | access(5)), which does not prevent message delivery from SMTP | M(ail) T(ransfer) A(gent)s, but can help against simple spam | producing programs. | |(And --test-mode will simply output a valid resource file again.)
(..And the limit-delay will possibly be changed to sleep per "instance" aka message, not RCPT TO.) To answer your question, i do not think that postscreen(8) does that. The graylist DB will recognize specific sender/receiver etc combinations up to 22 days. I .. do not use postscreen. I would anyhow recommend DNS related tests before the policy server placement in smtpd_recipient_restrictions, as shown in the manual. Graylisting is only a very simple mechanism that steps in at the early stages of SMTP communication (but after TLS setup, if any), and can thus reduce the cost of spam bots by not allowing them to continue unless they show up a second or third time after a delay (sites are known which Graylist for hours, so delay can also be painful), which seems to be not true for many easy bots. (It is, however, plain that a lot of spam comes from real MTAs, and the majority of my spam comes via GMail -- and that is whitelisted here like most other big sites, because not doing so only increases network traffic for nothing, as they all act properly.) The nice thing about s-postgray in particular is that it is self-contained on a POSIX/Linux standard system. Is is only a C program, and i run it in less than a megabytes of memory with 0.00 CPU time after a week of operation. The _only_ thing that must be taken into account, and i would wish postfix would offer a solution for this, is that the *_error_limit configuration parameters kick in. I have drastically low numbers to reduce log noise for all these nonsense connections, but with graylisting each DEFER_IF_PERMIT (or DEFER etc) counts as one error. So if you have a message from a non-whitelisted sender that ends up with two or three valid recipients on the host, it counts as two or three errors. So like s-postgray will impose limit-delay sleeps per RCPT TO:, postfix will count errors per RCPT TO. This is no good for graylisting, better would be a special access(5) entry which simply "remembers an error once". Ciao, --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
