283378Re: Outbound RBL
- Feb 1, 2012On 2/1/2012 3:43 AM, Gábor Lénárt wrote:
> Of course I only wrote about a "local RBL" which is maintained by ourselvesA local RBL would make some sense; you didn't mention that earlier.
> for this purpose, not a general-purpose public BL.
That's not a whole lot different than maintaining a local blacklist
or firewall rules. Once you identify IPs you don't want sending
mail, there are multiple choices to block them -- a local RBL makes
sharing a blacklist within a farm very easy.
This is relatively lightweight; client connects, postfix does a DNS
lookup, client is rejected. As long as the client isn't making
DoS-level connections this is reasonably efficient. Postscreen
could do this with "before 220 tests", but is likely overkill.
At some point you may want to do something more complex than the
standard "reject_rbl_client ...", such as "this username can't
connect from this range" or "don't ever block this user". You can
do the more complex queries by using a policy service that consults
the RBL and can also consider the IP and username used. This still
allows the client to AUTH and adds that overhead, but is far more
flexible. This could be combined with Fail2Ban or similar built
into your policy service to temporarily firewall IPs that exceed
some level of bad behavior.
-- Noel Jones
- << Previous post in topic Next post in topic >>