btb:
> we have a small local blacklist, mostly used for clients which
> aren't listed in dnsbls.
>
> postscreen_access_list =
> cidr:$table_directory/postscreen_access_list-rejects.cidr
>
> sometimes when a larger netblock gets listed, it can have the
> unintended consequences of blocking well behaved clients which
> happen to be within that netblock:
>
> Jan 20 09:37:10 mta2 postfix/postscreen[18045]: CONNECT from
> [64.26.60.147]:58250 to [10.3.70.6]:25
In the CIDR table, specify netblocks as follows:
192.168.1.1 dunno
192.168.1.0/24 reject
I.e. specify the good clients before the bad ones. Instead of "dunno"
specify "permit" if you are certain that the host is not a bot.
Wietse
