Maciej Uhlig:
> We run fail2ban to update postscreen blacklist which is cidr file. To
> make postscreen see the changes we have to reload postfix. Yesterday we
> found postfix was reloaded more than 3000 times. Sure it is not acceptable.
Surely you don't have to reload it EVERY 30 SECONDS. What about
using a 5-minute time window.
> What would be the best way to refresh postscreen blacklist (something
> like kill -HUP) without paying the penalty of losing performance? Would
> changing cidr type to hash do the trick?
This is a bad idea: Postfix daemons are designed to restart when a
hash: map is changed from under them, because otherwise Berkeley
DB 2.x and later will produce nonsense results (or crash the program).
Using sqlite might work, but I don't know if it is fast enough.
Wietse
