El 10.06.2014 20:47, Viktor Dukhovni escribió:
There is no single right answer. For many users a single linear
list of conditions is simplest. For some users, where one wants
a whitelist for one set of test to not short-circuit other tests,
multiple lists are better. We should not be dogmatic about either
approach.
What I used to do some time ago was this:
- Define three different pools of smtpd processes listening on
127.0.0.2, 127.0.0.3... etc. One of the pools would be devoted to
residential IP address blocks, another one to "general service" and a
third one to a whitelist of known-good servers for which there was
reliable contact information.
- Using the FreeBSD firewall, I created so called divert rules. For the
residential group and the whitelist group I defined a couple of
preffix/address tables, so that connections coming from those address
spaces would be diverted to the relevant pool of smtpd processes.
There were several advantages to this:
- Limiting the consumption of resources by likely bots coming from
residential addresses.
- Fine tuning the different policies for different origins. For the well
known servers I could bypass some checks.
For example, at some point I had something like 16 smtpd processes for
residential, 32 for well known servers, 200 for "general". Before
adopting this solution, even using 1000 smtpd processes was hopeless,
residential based bots quickly flooded all of them denying the reception
of legitimate mail.
Borja.
