0

In the Postfix postscreen readme, it says the main limitation of "after 220 greeting" tests is that a new client must disconnect after passing these tests. To partially mitigate problems, it recommends that small sites:

Configure postscreen(8) to listen on multiple IP addresses, published in DNS as different IP addresses for the same MX hostname or for different MX hostnames. This avoids mail delivery delays with clients that reconnect immediately from the same IP address.

How is this done in Postfix exactly?

Can I assume something like the following, where 150.xxx.xx.12 and 150.xxx.xx.12 are MX A records in my zone file pointing to the same host name?

150.xxx.xx.12:smtp   inet  n       -       y       -       1    postscreen
150.xxx.xx.13:smtp   inet  n       -       y       -       1    postscreen
smtpd                pass  -       -       y       -       -    smtpd
   -o smtpd_sasl_auth_enable=no
   -o smtpd_discard_ehlo_keywords=silent-discard,dsn
dnsblog              unix  -       -       y       -       0    dnsblog
tlsproxy             unix  -       -       y       -       0    tlsproxy

The above is taken from my current setup, with just the postscreen entries doubled up.

Also BTW since I only have one IPv4 available for this, I assume it's OK to use an IPv6 for the "alternative" MX address(es) (at the risk of some clients not seeing it)?

1
  • Those tests assume you want to receive mail only from parties that never do shady things (like quickly iterating through a large pool of distinct IP addresses, hoping to defeat all of your IP-based policies). Are you quite certain that you are in a position to delay/refuse messages from certain providers tolerated even by a substantial fraction of this sites audience?
    – anx
    Commented Jun 25 at 22:49

0

You must log in to answer this question.

Browse other questions tagged .