On 2/1/2012 3:43 AM, Gábor Lénárt wrote: > Of course I only wrote about a "local RBL" which is maintained by ourselves > for this purpose, not a general-purpose public BL.
A local RBL would make some sense; you didn't mention that earlier. That's not a whole lot different than maintaining a local blacklist or firewall rules. Once you identify IPs you don't want sending mail, there are multiple choices to block them -- a local RBL makes sharing a blacklist within a farm very easy. This is relatively lightweight; client connects, postfix does a DNS lookup, client is rejected. As long as the client isn't making DoS-level connections this is reasonably efficient. Postscreen could do this with "before 220 tests", but is likely overkill. At some point you may want to do something more complex than the standard "reject_rbl_client ...", such as "this username can't connect from this range" or "don't ever block this user". You can do the more complex queries by using a policy service that consults the RBL and can also consider the IP and username used. This still allows the client to AUTH and adds that overhead, but is far more flexible. This could be combined with Fail2Ban or similar built into your policy service to temporarily firewall IPs that exceed some level of bad behavior. HTH... -- Noel Jones
