On May 23, 2012, at 11:23, Maciej Uhlig wrote:
> We run fail2ban to update postscreen blacklist which is cidr file. To
> make postscreen see the changes we have to reload postfix. Yesterday we
> found postfix was reloaded more than 3000 times. Sure it is not acceptable.
>
> What would be the best way to refresh postscreen blacklist (something
> like kill -HUP) without paying the penalty of losing performance? Would
> changing cidr type to hash do the trick?
We used to run a cron job for refreshing the blacklist, and only
reloaded Postfix when there was an actual change. Have since moved to a
local rbldnsd, which will automatically reload itself whenever the
blacklist gets updated. Happens about 10 times a day, in our case.
Postfix uses the 'reject_rbl_client' to query the blacklist zone,
automatically gets any updated results, but never needs to be reloaded.
Our RBL runs on localhost only, and gets its queries forwarded to a
custom port by the stub resolver running on the same machine. In BIND,
this works like this;
zone "rbl.domain.tld" IN {
type forward;
forward first;
forwarders {
127.0.0.1 port 5335;
};
};
Unbound and the PowerDNS recursor have similar options. This assumes
that rbldnsd has been started with a '-b127.1/5335' option to bind on
the custom port.
Performance should not be an issue, I reckon, as rbldnsd is deemed to
be quite fast. Another plus is that the blacklist is only loaded into
memory once, instead of for every active Postfix process.
It works well for us, anyway. If there's gotchas that we haven't run
into, I'd love to hear about them.
Cya,
Jona
