On 2/10/2016 3:41 PM, Allen Coates wrote: > I have very similar problems. > > I was however, thinking along the lines of a command-line executable (or > script), specifically to rescind a temporary white-list entry. I am > not very good at the "big picture" :-) > > Allen C > > On 10/02/16 17:35, Mike Coddington wrote: >> I had a problem with an IP address sneaking into Postscreen's whitelist. I >> added the IP address to postscreen_access.cidr and set it to REJECT, as I >> typically do with problem IP ranges. It seemed as though the temporary >> whitelist was overriding my request to reject the mail though. I ended up >> removing postscreen_cache.db and restarting Postfix. Is there a way to go >> into that database and manually remove specific entries? Most of them are >> fine, which is why I was sad to have to do the brute force technique that I >> used. >> >> I’m guessing it’s not possible but figured I’d ask. >
Since it's fairly disruptive to alter the postscreen cache db -- it can only be done with postfix stopped -- a better and more practical solution is to add the offending clients to a regular old indexed check_client_access table. Changes to an indexed tables (hash, cdb, btree, *sql) are picked up automatically by smtpd with minimal disruption to mail flow, and unless the offending client is making dozens (hundreds?) of connections per minute the overall performance difference is negligible. In the case of a flood of connections, a firewall block is probably a better solution anyway. So the bottom line is that although it is possible to remove a client from the postscreen automatic whitelist cache, it's not worth the trouble. -- Noel Jones
