Postscreen sometimes stops the mail with 450 4.3.2 Service currently unavailable

Question

I have a problem with postfix sometimes, inconsistently rejecting client mails:

Sep 15 09:24:07 mail postfix/postscreen[16209]: NOQUEUE: reject: RCPT from [x.x.x.x]:15037: 450 4.3.2 Service currently unavailable; from=<user@externaldomain.com>, to=<user@ourdomain.com>, proto=ESMTP, helo=<mail.external.com>
Sep 16 07:41:01 mail postfix/postscreen[16209]: NOQUEUE: reject: RCPT from [x.x.x.x]:13720: 450 4.3.2 Service currently unavailable; from=<user@externaldomain.com>, to=<user@ourdomain.com>, proto=ESMTP, helo=<mail.external.com>
Sep 16 09:08:22 mail postfix/postscreen[16209]: NOQUEUE: reject: RCPT from [x.x.x.x]:34719: 450 4.3.2 Service currently unavailable; from=<user@externaldomain.com>, to=<user@ourdomain.com>, proto=ESMTP, helo=<mail.external.com>

This is a debian wheezy server running postfix 2.9.6-2. Looking at the performance graphs at the given time, neither the server, nor postfix had high load, so I doubt it rejected for that.

Is there a way to reduce the load on this postscreen daemon, disable it or whitelist specific users so they can "pass through it"?

Answer 1

Those error was appeared in your log because you have enabled deep protocol tests as documented in POSTSCREEN_README. Because postscreen isn't proxy, then it will become sort of greylisting when you defer client connection in first attempt. More info in these two mailing list thread, this one and this one.

• If you don't know/understand what happened in deep protocol tests, don't enable it. Disable it via change these parameter in main.cf

  postscreen_bare_newline_enable = no
  postscreen_non_smtp_command_enable = no
  postscreen_pipelining_enable = no
  

• If you want to enable it while whitelisting some client, take a look of parameter postscreen_access_list in this page. In short, add parameter postscreen_access_list in main.cf

  postscreen_access_list = cidr:/etc/postfix/postscreen_access.cidr
  

  Then in /etc/postfix/postscreen_access.cidr, define the acl

  # Rules are evaluated in the order as specified.
  # Blacklist 192.168.* except 192.168.0.1.
  192.168.0.1          permit
  192.168.0.0/16       reject