fail2ban (http://www.fail2ban.org/wiki/index.php/Main_Page) works perfectly for this. You set up some filters that are essentially just regular expressions, and then you define a "jail" which applies your filter to a log file and triggers a predefined action.
We have two filters watching our Postfix log: one looks for repeated SASL login failures, and the other looks for too many 554 errors within a short period of time which we issue for invalid recipients. For manual bans as you mentioned, I wrote a simple script called banip which just writes a simple line to a log a file that meets fail2ban's requirements: https://gist.github.com/pgib/5302582 And then my fail2ban filter has: https://gist.github.com/pgib/5302594 And the jail is configured like this: [manual-ban] enabled = true filter = manual-ban action = ipfw logpath = /var/log/manual-ban.log findtime = 2 maxretry = 1 bantime = 86400 It works like a charm and requested IPs are banned within seconds of my request, automatically expiring after the "bantime" passes. Patrick On Wed, Apr 3, 2013 at 7:10 AM, Chad M Stewart <c...@balius.com> wrote: > > Before I go and write my own solution I thought I'd see if anyone knows of an > existing solution. > > Now and again I'd like to put an IP on a local blacklist and have an > expiration time set as well. I'm using postscreen as well and ideally the > blacklist will get implemented via postscreen. > > Anyone know of an existing tool that integrates with postfix that would let > me do what I want? I'm open to storing the IP and TTL values in plain text, > MySQL, rbldnsd, etc.. > > > Thank you, > Chad > >
