Wietse Venema wrote: > The postscreen manpage lists the tests in the order of execution. > Thus, the blacklist is done tested first. If the client is not > blacklisted, then the whitelist test is done. And so on. > > I could swap the order of black/white tests if there is agreement that > the current order is not optimal, but something has to go first.
That reminds me of a mistake in early tcp_wrappers, which kept allow and deny lists separate - later fixed by introducing hosts_options(5) which allowed mixing of allow and deny entries. The same mistake was repeated by Apache httpd config, which works around the problem of having two lists instead of one merged list by a horrible kluge in a form of an 'Order' directive. There is no 'one size fits all' right order of allow/deny or black/white lists, if these are limited to one list of each type. Conceivably one could need a: white 10.1.1.1, black 10.1.1.0/24, white 10.0.0.0/8 Some solution like a postfix access(5) or cidr_table(5) table would be best, with entries each claiming an OK/REJECT or whatever is documented. Mark
