On 4/8/2016 12:04 PM, [email protected] wrote: > > For me then, simplest seems that "known bad" can stay in fail2ban-ready > firewall IPSETs, and "need to investigate a bit more" in postscreen's CIDR > accces list. >
Note that updating the postscreen CIDR table requires that you restart postfix to read the new table. Frequent restarts of postfix are very bad for performance on a busy mailserver. I would suggest putting "provisional" blocks in a check_client_access table in one of the smtpd_*_restrictions sections. Postfix will pick up changes to those tables without a restart. Later, those blocks can be promoted to a firewall or postscreen block. -- Noel Jones
