On 2015.01.22 10.35, wie...@porcupine.org (Wietse Venema) wrote:
btb:
we have a small local blacklist, mostly used for clients which
aren't listed in dnsbls.
postscreen_access_list =
cidr:$table_directory/postscreen_access_list-rejects.cidr
sometimes when a larger netblock gets listed, it can have the
unintended consequences of blocking well behaved clients which
happen to be within that netblock:
Jan 20 09:37:10 mta2 postfix/postscreen[18045]: CONNECT from
[64.26.60.147]:58250 to [10.3.70.6]:25
In the CIDR table, specify netblocks as follows:
192.168.1.1 dunno
192.168.1.0/24 reject
I.e. specify the good clients before the bad ones. Instead of "dunno"
specify "permit" if you are certain that the host is not a bot.
right. we do that now. taking advantage of whitelist negative scoring
to reduce some of the administrative burden would be nice though, and
also avoid the "fix it after finding out it's broken" scenario.
