In my last gig I ran Exchange, Oracle and various Debian servers. I
retired and set up Postfix, bind9 etc to support my hobby domain. It
keeps me involved.
I use Fail2Ban, lousy docs, good product. I upgraded from iptables to
nftables. I have written a few regex filters passing variables to
actions for nftables and Postfix that work rather well. I like MariaDB,
not Oracle but, as I said, it keeps me involved.
I update nftables sets dynamically. I did not like fail2ban reloading
Postfix to update the access files.
With the advice found here. I have changed access lists to lmdb. I had
not used postmap on postscreen's cidr files previously. I read doing so
would eliminate reloading on updates.
Testing now. Looks good so far.
Great Product, Great Group.
thx
--john
On 3/29/25 2:03 PM, Phil Stracchino via Postfix-users wrote:
On 3/29/25 07:01, John Hill via Postfix-users wrote:
I'm concerned most about postfix reloads. I have a small system
only 4
users. (Retired Hobby)
I average nearly 500 failed login attempts from around the world every
24 hours.
Fail2ban sees errors and I add the ip to posctscreen.cidr or nftables
depending, but then I do a reload.
Nftables offers an "atomic" reload. I use MariaDB for the virtual user
info. I wondered if maps or cdir
OK. If you have only 4 users, and don't already have it installed for
some other purpose, MariaDB/MySQL (and learning to tune it) *JUST* for
virtual user tables is MASSIVE overkill.
I manage three domains of my own and relay for a fourth, I have dozens
of real and virtual users, and lmdb does everything I need. I believe
"lmdb" is the best answer to your question, in your use case. It is
better than bdb, better than hash, not encumbered, doesn't need a
license, and doesn't need to continuously run a full relational DB
engine just for the occasional lightweight lookup.
You *do* know that you can configure fail2ban to block hostile IPs for
you automatically, right? That is its entire point. Your use case is
probably simpler there than mine, because you can take one of the
default configurations to just update nftables on localhost. I had to
write a custom configuration for mine to perform fail2ban actions
remotely on my dedicated firewall/router using Shorewall. Once I
started to understand fail2ban's configuration, it wasn't terribly
difficult, but there is a distinct learning curve there.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
