Very good suggestions.
Fail2ban only lets one login attempt fail then adds IP to ingress block.
Could be worse. I have played around with blocking countries, but the
lists can be somewhat incorrect.
I like the idea of dns using rbl. Spamhaus is my friend. I have used
bind9 (for years).
I'll see if I can find an rbl config for it.
I am appreciative of a great product - Postfix, and the amount of support.
Thanks
--john
On 3/29/25 10:16 AM, Wietse Venema wrote:
John Hill via Postfix-users:
I'm concerned most about postfix reloads. I have a small system only 4
users. (Retired Hobby)
On a lightly server, reload is quick. On a busy server, a reload
interrupts deliveries and requires a queue scan to find messages
that are ready for delivery. That is relatively slow.
I average nearly 500 failed login attempts from around the world every
24 hours.
In that case, "best" would lean more towards "convenient to live
with" and less towards "able to support planet-scale infrastructure'.
Fail2ban sees errors and I add the ip to posctscreen.cidr or nftables
depending, but then I do a reload.
Nftables offers an "atomic" reload. I use MariaDB for the virtual
user info. I wondered if maps or cdir could read be read from it
and eliminate the reload. Maybe a way to do a map read while still
in process?
There's a third option, Michael Tokarev's rbldnsd. This implements
a private DNS reputation service instead of a postscreen access
table. Like nftables, this avoids the need to reload Postfix.
It's currently maintained by Spamhaus:
https://github.com/spamhaus/rbldnsd
rbldnsd automatically checks if data files have changed (by default
once per minute), but you can also send it a SIGHUP signal to reload
"now". It's desigined to handle a large query load.
Wietse
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
