On 6/17/2015 5:50 PM, PGNd wrote: > The introduction of Postfix's postscreen into edge mail-defense, particularly > with a well thought out set of DNSBLs has fairly dramatically cut down on my > spam rates. > > Additional pre- & post-queue filtering downstream of postscreen is down to a > easily manageable trickle. > > Prior to postscreen, fail2ban had been a key component of my basic anti-spam > tooling. > > Looking at my (early) results, I'm considering simply dropping fail2ban from > the mix. It seems resource utilization of postscreen is already quite low. > > Reading posts since the introduction of postscreen, I've not yet found any > strong arguments for removing it or leaving it in. > > What current 'best practice' on list? With postscreen ON, still bothering > with fail2ban? If yes, what particular case would postscreen be missing that > fail2ban'd catch? >
With respect to postfix, the things fail2ban has been really useful for are blocking AUTH dictionary attacks, and blocking clients that consistently fail a full-scan filter such as SpamAssassin. Postscreen can't help with either of these. The other things fail2ban has typically been used for in postfix -- blocking clients with too many failures/rejects/unknown users -- are really more about cleaning up your log than protecting postfix. Postfix is already well protected against those things. Postscreen further reduces the impact of rejecting known bad hosts, but as long as you're not approaching DoS levels of rejects it doesn't matter too much. None of this means you should stop using (or start using) fail2ban. It just means that postscreen doesn't change the argument very much. -- Noel Jones
