>>> This whitelist is 1409 records long, so indeed as you say very small. I >>> suppose I could download it and host it locally. Apparently AXFR is not >>> allowed, but plain text HTTP download is, so that's good enough. >>> Then I would only need an efficient and robust way for postfix to use >>> it. >> >> If they let you download a list of IPs, just use your favorite >> sed/awk/perl to change it into an access table. > > The question is: Will this be really more reliable than using a policy > service that simply queries dns for this task?
By the way, in the mean time I followed the advice given by Stan Hoeppner and Noel Jones and made a daily cronjob which wget's the blacklist, puts some OK's in there and then postmaps the list to a hash map, which is then used with a check_client_access rule in smtpd_recipient_restrictions. This works okay, and fairly reliable, because I added a couple of sanity checks before actually switching over to the new whitelist. If some sanity check fails (for instance the number of IP's is outside a sane range or if postmap chockes on it), then the cronjob will just keep the current whitelist in place.
