we have a small local blacklist, mostly used for clients which aren't listed in dnsbls.
postscreen_access_list = cidr:$table_directory/postscreen_access_list-rejects.cidr sometimes when a larger netblock gets listed, it can have the unintended consequences of blocking well behaved clients which happen to be within that netblock: Jan 20 09:37:10 mta2 postfix/postscreen[18045]: CONNECT from [64.26.60.147]:58250 to [10.3.70.6]:25 Jan 20 09:37:10 mta2 postfix/postscreen[18045]: BLACKLISTED [64.26.60.147]:58250 Jan 20 09:37:10 mta2 postfix/dnsblog[18133]: addr 64.26.60.147 listed by domain list.dnswl.org as 127.0.5.0 Jan 20 09:37:16 mta2 postfix/postscreen[18045]: NOQUEUE: reject: RCPT from [64.26.60.147]:58250: 550 5.3.2 Service currently unavailable; from=<u...@example.org>, to=<u...@example.com>, proto=ESMTP, helo=<smtpauth05.mfg.siteprotect.com> Jan 20 09:37:16 mta2 postfix/postscreen[18045]: DISCONNECT [64.26.60.147]:58250 in the above case, if the netblock could be listed in postscreen_access_list as 64.26.0.0/18 3 rather than 64.26.0.0/18 reject then a client in that scenario could avoid penalization, with postscreen_dnsbl_threshold = 3 postscreen_dnsbl_whitelist_threshold = -1 postscreen_dnsbl_sites = [...] list.dnswl.org=127.[0..255].[0..255].[0..255]*-4 is a feature like this something that might be considered? overall, it seems like a scoring element in postscreen_access_list would complement the essence of postcreen in general. -ben
