On Sun, 7 May 2023 at 14:28, Wietse Venema via Postfix-users < postfix-users@postfix.org> wrote:
> Mihaly Zachar via Postfix-users: > > On Sun, 7 May 2023 at 03:12, Mihaly Zachar <zmih...@gmail.com> wrote: > > > > > On Sun, 7 May 2023 at 03:05, Wietse Venema via Postfix-users < > > > postfix-users@postfix.org> wrote: > > > > > >> > > >> Look at output from: > > >> > > >> (postconf -n; postconf -P) | grep soft_bounce > > >> > > > > > > this gives an empty set... > > > > > > > > I think I have figured it out. I have the "MX Policy test" set up (you > can > > see it in the configs) based on the POSTSCREEN_README. > > As far as I can see, the IPs which connect to the secondary MX will get > 450 > > from Postscreen. > > > > The only question is why it sends back 450 rather than 550 ? > > It is a lack of information problem. Mathematically-oriented people > will like that. > > How would postscreen distinghuish between: > > 1) A legitimate client tries to connect to the primary MX first, and > that fails because of some temporary network outage/overload/whatever. > Then the client tries to connect to the secondary MX. > > 2) A non-legitimate client connects only to a non-primary MX. > > The only information postscreen has is that there was a connection > to the secondary MX without an earlier connection to the primary > MX. Postscreen does not know that the client did not try to > connect to the primary. > > More formally, lack of evidence of a primry MX connection is not > evidence of a lack of an attempt to make a primary MX connection. > > It postscreen replies with 550, it could reject legitimate email. > > After multiple such connnections, postscreen could theoretically > decide that the client is unlikely to ever connect to the primary > MX, but by then the client will likely already have given up, and > postscreen has done no harm. > > Postscreen does not have such a counting system. > > It's also possible that a legitimate mail system always connects > to a non-primary MX due to an imlementation bug. You can monitor > your logs logs and make an exception for such mailers before they > give up. > > > Where can I change it ? > > That would be a mistake. You could reject legitimate email. > > I did remember the doc wrongly. I thought it should reject the connections with 550 by default. That is why I thought that there must be a way to modify it, because mine sends 450 back. That 550 reply were mentioned during explaining the "enforce" actions, I did remember wrongly. Thank you. Mitya
_______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
