On Fri, Apr 27, 2012 at 12:02:05PM -0700, kar...@mailcan.com wrote: > On Fri, Apr 27, 2012, at 08:54 PM, Bron Gondwana wrote: > > Just as an interesting point from a fairly large site > > (fastmail.fm) we do something very like that. We run a > > standalone daemon, and we keep a "bad list" of IPs who get > > dumped immediately without even a DNS lookup. > > > > One of our patches to postfix allows that, dropping the > > connection while doing nothing more than a syslog of the IP > > address. > > That's interesting. Just our of curiosity, as I'm in the midst > of reading about policy daemons, milters, before & after queue > filtering, etc. > > At a high-level -- how did you implement this? Sounds like > you're actually patching postfix code, and not handing off to a > dameon/milter/etc early in the process.
Postfix is going to do a reverse DNS lookup of any connecting client, followed by a forward lookup of the PTR name received. This is fine for most sites. Small sites can save some of this using postscreen, which merely does a few cheap and fast checks without the PTR/A(AAA)? lookups. It sounds like Bron's patch is to do a client local blacklist lookup beforehand. Fastmail.fm might be too big to benefit from postscreen, but you are probably not. :) Your best answer, as discussed upthread, is to use postscreen. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
