On Aug 26, 2013, at 06:20, pe...@ixp.jp wrote: > On Aug/25.20:11:49, Niclas Arndt wrote: >> Here are my questions: Is the iptables approach at all viable in the long >> run? Is there any non-commercial way to upload a text file containing >> spamming IP addresses and have it verified for correctness? > > Your IP tables will get scary quite rapidly, possibly without bounds. > More so if you do not expire old records. > > The XBL component alone should make IP tables faint. > > DNS is almost certainly a saner way. In your case, shove your records in > your own local DNS server and make a private block list. If you have a > fit > of insanity, allow other people to query it too...
Set up your own private rbldnsd; forward requests to it via your local caching resolver. It scales easily to millions of entries, it does not require a reload of Postfix for updates, the file format is very simple and therefore easy to build automatically, and so on. Also, you get the benefit of the RBL features of Postfix. You can have different replies for different types of IP addresses; have one type be rejected directly by postscreen and another type by your recipient restrictions, for example. Once you have it running it is trivial to add domain based rejections as well, and reject HELO hostnames, reverse DNS results, sender domains and such. HTH, Joni
