-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi,
If you want to block more DUL ip blocks, the easiest way is probably to use some upstream DUL DNSBL providers, and use rbldnsd to create your private DNSBL to provide your own additions. There also is a community-maintained pcre file for smtpd restrictions (located at: http://www.hardwarefreak.com/fqrdns.pcre), that will block many of your candidates at the smtpd level. You could probably get fail2ban or some homegrown logparser create additions to your rbldnsd input file based on the rejections (i.e. postscreen passes, smtpd blocks, ip(-block) is added to rbldnsd, postscreen blocks at next connect). Tom On 10-03-15 16:16, Kovács Albert wrote: > On Tuesday, March 10, 2015 1:42 PM, Wietse Venema > <wie...@porcupine.org> wrote: > > > >>> I'm not sure how one (type of) dns query is a performance >>> concern,>> and another is not, see below. > >> You see no performance difference between querying a small >> number of well-operated DNS servers that are chosen by the local >> sysadmin, versus random DNS servers all over the Internet that >> are determined by the sender's IP address? > > > this isn't exactly what i wrote :-) Obviously querying PTR records > may take some time. However, smtpd also needs the PTR record to > perform some DNS tests, so sooner or later you need the query. > > OK, postscreen blocks many of the zombie hosts for sure, so you > don't need to perform PTR queries for that many times, however > (based on my experience) lots of hosts with names like > ppp|dsl|cable|....-xx-xx-xx-xx.some.provider.com pass postscreen > ending up at smtpd. > > > Anyway I started to use an RBL targeting dynamic IP blocks, and it > makes postscreen dropping many such zombies, though no RBL is > accurate, so I believe there's still some room for optimization. > > If there's some deeper guide or you could provide some hints on how > postfix does dns resolution, I'd appreciate it, and perhaps I could > make it for myself. > >> With postscreen, zombies don't get to occupy smtpd processes, by >> using DNSBLs and pregreet tests. > > > unfortunately not all of them, that's why I'd improve postscreen to > have a better hit ratio. > > > Albert > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJU/yPbAAoJEJPfMZ19VO/16YwQAMCbKHTgIcbltHWd1btMZfcl E5BMs3ILcTK0+ABWJu9F4337SmWbZD/hOjO1F0JTi2UjfvmeyGGLGa+mjrRc2jSS 2I9UhqKF6wv/HI8O39P1NIYkoskav3Vlcimz5bRxtQAQPfhA8wcYiVM+Dun6R90G YgZgjK3YiJOPNtfAvf+iiGPbKst7k/RVgRvyLHq/lcbm8+ykLh5DRvw0Gf2ENlmL ImTClziBYFBvlJuLI9ECZu8RkSCl/5y3tNibjtUgktAUtRXO5jFg6oK0ht1E8hBK qMtRxhQ4Z1nJ8KBz/FR/SiX1qL/kg9TzL+ab5FspzfMxA03GhEVl/CNz7CtU8sUB dNfUayIMRq+5bwxJquixK+ux+8213AqOt5SGtX5sOGw5gLH2NGNk2wHQnZlyzN0n 6CvX0L1ESASRSJCpn2Ipc85EuuYoIE1njVNJiaaSZGE7TEadaCq9Xl9XTFjGOA+N /+mLXd4GgUB+Liuyjs/sxYZbc2KqlY8L4t8a0N0K0gLsTy1ZFnffiUqUJD2crrcm 3PilFNV2dv4Oxj93VbaXAsF4FndGXPfcjs862ct21FIzO+Sbf+SDEdQperxI6ep+ 6fEh0/mNQd+464zcMb0NtaVIrXJ+RhM/FHG+3kOhHuKwtxRslQNplH2lbWWxfquI Tkkf6BBb5sHKTT1W4q0M =7U0a -----END PGP SIGNATURE-----
