On 13/09/16 20:01, Wietse Venema wrote: > Wietse Venema: >> Unlike DNS lookups, the access map lookup is a blocking operation, >> and if your tcp map takes 80ms to complete (a typical trans-atlantic >> query), then you can handle only 12 connections per second, and >> make postsceen the largest performance bottleneck on the system. > After starting work on postscreen by the middle of 2009, I soon > realized that I might have to add some postscreen-policy interface > for things that are too complex or that take too much time compared > to a quick access map lookup. Perhaps the time has come. From a slightly different angle, I would like to see some sort of "probationary" status, where the temporary whitelist is not activated.
I frequently receive a well-behaved connection, earning PASS NEW, immediately followed by abusive behaviour (see the log extract below). In this instance, my fail-2-ban lookalike kicked in, and blocked several thousand packets, before the IPTABLES counters were reset. The zz.countries.nerd.dk entry tells me the host was located in China - a spam hot-spot for me. (One demerit point, but not enough to blacklist) Allen C Sep 13 15:23:14 geronimo postfix/postscreen[9767]: CONNECT from [202.106.74.102]:2600 to [192.168.150.12]:25 Sep 13 15:23:14 geronimo postfix/dnsblog[9769]: addr 202.106.74.102 listed by domain zz.countries.nerd.dk as 127.0.0.156 Sep 13 15:23:20 geronimo postfix/postscreen[9767]: PASS NEW [202.106.74.102]:2600 Sep 13 15:23:21 geronimo postfix/smtpd[9777]: connect from unknown[202.106.74.102] Sep 13 15:23:24 geronimo postfix/smtpd[9777]: disconnect from unknown[202.106.74.102] ehlo=1 quit=1 commands=2 Sep 13 15:23:27 geronimo postfix/postscreen[9767]: CONNECT from [202.106.74.102]:4225 to [192.168.150.12]:25 Sep 13 15:23:29 geronimo postfix/postscreen[9767]: CONNECT from [202.106.74.102]:1202 to [192.168.150.12]:25 Sep 13 15:23:31 geronimo postfix/postscreen[9767]: CONNECT from [202.106.74.102]:2070 to [192.168.150.12]:25 Sep 13 15:23:31 geronimo postfix/postscreen[9767]: NOQUEUE: reject: CONNECT from [202.106.74.102]:2070: too many connections Sep 13 15:23:31 geronimo postfix/postscreen[9767]: DISCONNECT [202.106.74.102]:2070 Sep 13 15:23:33 geronimo postfix/postscreen[9767]: PASS OLD [202.106.74.102]:4225 Sep 13 15:23:33 geronimo postfix/postscreen[9767]: CONNECT from [202.106.74.102]:2478 to [192.168.150.12]:25 Sep 13 15:23:33 geronimo postfix/postscreen[9767]: NOQUEUE: reject: CONNECT from [202.106.74.102]:2478: too many connections Sep 13 15:23:33 geronimo postfix/postscreen[9767]: DISCONNECT [202.106.74.102]:2478 Sep 13 15:23:33 geronimo postfix/smtpd[9777]: connect from unknown[202.106.74.102] Sep 13 15:23:34 geronimo postfix/postscreen[9767]: CONNECT from [202.106.74.102]:1393 to [192.168.150.12]:25 Sep 13 15:23:34 geronimo postfix/postscreen[9767]: PASS OLD [202.106.74.102]:1393 Sep 13 15:23:34 geronimo postfix/smtpd[9786]: connect from unknown[202.106.74.102] Sep 13 15:23:35 geronimo postfix/postscreen[9767]: PASS OLD [202.106.74.102]:1202 Sep 13 15:23:35 geronimo postfix/smtpd[9788]: connect from unknown[202.106.74.102] Sep 13 15:23:35 geronimo postfix/smtpd[9788]: warning: Connection concurrency limit exceeded: 3 from unknown[202.106.74.102] for service smtpd Sep 13 15:23:35 geronimo postfix/smtpd[9788]: disconnect from unknown[202.106.74.102] commands=0/0 ...... Etc, etc, until the IP address is blocked.
