postscreen: refresh of stored entries?
in [Postfix]
|
Prev: virtual_alias_domains vs. virtual_mailbox_domains
Next: About reject_authenticated_sender_login_mismatch
From: Stefan Foerster on 30 Dec 2009 20:08 from /var/log/mail.log: Dec 31 01:49:47 nemea postfix/postscreen[2994]: PASS OLD 168.100.1.4 # postmap -q 168.100.1.4 btree:/var/lib/postfix/ps_cache 1262188493 # date --date "Dec 31 01:49:47" "+%s" 1262220587 # echo $(((1262220587-1262188493)/3600)) 8 If a client that has passed postscreen in the past connects again, should the timestamp stored in $postscreen_cache_map be updated? For legitimate clients, this would avoid a delay and/or DNS lookups every $postscreen_cache_retention_time. OTOH, if a non-legitimate client somehow gets to use the IP address of a sender previously added to the database, we lose our first line of defense. Small gain, big potential risk? Stefan^:wq
From: Wietse Venema on 30 Dec 2009 20:40
Stefan Foerster: > from /var/log/mail.log: > Dec 31 01:49:47 nemea postfix/postscreen[2994]: PASS OLD 168.100.1.4 > > # postmap -q 168.100.1.4 btree:/var/lib/postfix/ps_cache > 1262188493 > > # date --date "Dec 31 01:49:47" "+%s" > 1262220587 > > # echo $(((1262220587-1262188493)/3600)) > 8 > > If a client that has passed postscreen in the past connects again, > should the timestamp stored in $postscreen_cache_map be updated? Currently the time stamp says when the IP address passed the tests. If the time stamp is updated without passing a test, then I don't understand what the time stamp means: something passed a test, maybe weeks or perhaps months ago? I also don't understand what the problem is with repeating a test once after 24 hours. Wietse > For > legitimate clients, this would avoid a delay and/or DNS lookups > every $postscreen_cache_retention_time. OTOH, if a non-legitimate > client somehow gets to use the IP address of a sender previously added > to the database, we lose our first line of defense. Small gain, big > potential risk? > > > Stefan^:wq > > |