jaso...@mail-central.com:
> To date I've maintained & deployed a firewall blacklist of bad-actor, port25
> CIDRs.
>
> Its blocking is obviously in front of Postfix, and logs if/as I choose to my
> firewall logs.
>
> I populate it both manually, and append it using fail2ban.
>
> Its a 'fast' IPSET hash table, not just iptables.
>
> postscreen has the very handy 'postscreen_access_list' parameter
>
> http://www.postfix.org/postconf.5.html#postscreen_access_list
> http://www.postfix.org/POSTSCREEN_README.html
> http://www.postfix.org/cidr_table.5.html
>
> which provides equivalent blocking functionality.
It is a superset, as the postscreen_blacklist_action parameter alows
you to choose between dropping the connection and logging the helo,
mail from and rcpt to, so that you can find out what mail is blocked.
Writing to the postscreen access list (with fail2bain etc.) is
generally not supported. It can be done with LMDB but only if you
use the locking protocol described in lmdb_table(5). Otherwise the
result will be incorrect.
Wietse
