Wietse Venema:
> Wietse Venema:
> > Maciej Uhlig:
> > > We run fail2ban to update postscreen blacklist which is cidr file. To
> > > make postscreen see the changes we have to reload postfix. Yesterday we
> > > found postfix was reloaded more than 3000 times. Sure it is not
> > > acceptable.
> >
> > Surely you don't have to reload it EVERY 30 SECONDS. What about
> > using a 5-minute time window.
>
> Or using RBLDNSD, and adjusting postscreen_dnsbl_ttl suitably.
See also the detailed reply by DTNX Postmaster.
A word of caution: postscreen is designed to avoid doing tests for
every client connection; the postscreen_dnsbl_ttl value determines
how long DNSBL results are cached so that a test can be skipped,
and setting the value too low can result in an unacceptable number
of postscreen cache updates.
There currently is no way to say "don't update the postscreen cache
when a client passes test X" (X = DNSBL or PREGREET), or to have
different postscreen_dnsbl_ttl settings for different DNSBL providers.
Software doesn't grow on trees. It needs to be designed, built,
tested and documented.
Wietse
