To date I've maintained & deployed a firewall blacklist of bad-actor, port25 CIDRs.
Its blocking is obviously in front of Postfix, and logs if/as I choose to my firewall logs. I populate it both manually, and append it using fail2ban. Its a 'fast' IPSET hash table, not just iptables. postscreen has the very handy 'postscreen_access_list' parameter http://www.postfix.org/postconf.5.html#postscreen_access_list http://www.postfix.org/POSTSCREEN_README.html http://www.postfix.org/cidr_table.5.html which provides equivalent blocking functionality. I can similarly (de)populate it manually and with fail2ban. Since both postscreen and IPSET have some in-memory advantages, I'm wondering what criteria to use in choosing one method vs the other? My guess atm is to leave it in IPSET/firewall, thinking that it's in-kernel and somehow fater/lower-load, but TBH I haven't done any benchmarking yet. Is there any guidance for if/when to use one vs the other? Jason
