Patrick T. Tsang schrieb:
> Of course you can whitelist IPs, but how many you can make?
> My working approach is to apply iptables to limit incoming port 25
> connection in certain number within couple of minutes and suspend the
> connection if it exceeds. Release these IPs after couple of minutes (say
> 5 mins).
> This works very great.
> There is no way to block IPs permanently.
> ----- Original Message ----- From: "Terry Carmen" <terry@...>
> To: "Rob Morin" <rob@...>
> Cc: "Wietse Venema" <wietse@...>; <jeff@...>;
> Sent: Saturday, December 01, 2007 4:13 AM
> Subject: Re: ddos
>> Rob Morin wrote:
>>> Do you not use a relay_recipients table...., so the mail gets refused
>>> at the greeting ?? This is very easy to setup and will help reduce
>>> server loads...
>> It's one of the first couple of matches on the list. (the first is a
>> whitelist, the second is CIDRs of countries we don't talk to).
>> If it's a Dynamic IP or has no reverse DNS, we don't talk to them.
>> So far, we've only had to whitelist maybe 2 IPs. Works like a charm.
as i am bombed witch smtp cons too, from big botnets
since years i didnt found a allaround solution to reduce that.
For me its not a question how and why to reject them with postfix ( this
works nice for me), i am simply
bored of this trilliards of log entries produced by bots
i recommend following the tips of postfix uce readme first, as well as
the tips from this list this should help reducing spam get through
and keep performance up for legal mail.
But in my case this wasnt enough for stopping bots
I noticed that simply have non working mx as a first and a last dns
entry worked for Months reducing bot activity, but this was gone a week
ago, now i use fail2ban and additional static blocks with iptables (
ips/net taken out from the logs and controlled by senderbase.org which
produces blacklists for postfix in a http gui )
specially on my backup mx, i use a 24h block time with fail2ban.
It helped in my case but be warned , look at your logs this will show
you what might be the best rules in your case.
After all i never had a real problem to handle the mail traffic with
postfix anyway, big thx to Wietse
I am looking forward to 2.5 release and will setup stress setup then
as well as other new features.
MfG Robert Schetterer