On 3/29/25 07:01, John Hill via Postfix-users wrote:
I'm concerned most about postfix reloads. I have a small system only 4
users. (Retired Hobby)
I average nearly 500 failed login attempts from around the world every
24 hours.
Fail2ban sees errors and I add the ip to posctscreen.cidr or nftables
depending, but then I do a reload.
Nftables offers an "atomic" reload. I use MariaDB for the virtual user
info. I wondered if maps or cdir
OK. If you have only 4 users, and don't already have it installed for
some other purpose, MariaDB/MySQL (and learning to tune it) *JUST* for
virtual user tables is MASSIVE overkill.
I manage three domains of my own and relay for a fourth, I have dozens
of real and virtual users, and lmdb does everything I need. I believe
"lmdb" is the best answer to your question, in your use case. It is
better than bdb, better than hash, not encumbered, doesn't need a
license, and doesn't need to continuously run a full relational DB
engine just for the occasional lightweight lookup.
You *do* know that you can configure fail2ban to block hostile IPs for
you automatically, right? That is its entire point. Your use case is
probably simpler there than mine, because you can take one of the
default configurations to just update nftables on localhost. I had to
write a custom configuration for mine to perform fail2ban actions
remotely on my dedicated firewall/router using Shorewall. Once I
started to understand fail2ban's configuration, it wasn't terribly
difficult, but there is a distinct learning curve there.
--
Phil Stracchino
Fenian House Publishing
ph...@caerllewys.net
p...@co.ordinate.org
Landline: +1.603.293.8485
Mobile: +1.603.998.6958
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
