Loading ...
Sorry, an error occurred while loading the content.

283378Re: Outbound RBL

Expand Messages
  • Noel Jones
    Feb 1, 2012
      On 2/1/2012 3:43 AM, Gábor Lénárt wrote:
      > Of course I only wrote about a "local RBL" which is maintained by ourselves
      > for this purpose, not a general-purpose public BL.

      A local RBL would make some sense; you didn't mention that earlier.
      That's not a whole lot different than maintaining a local blacklist
      or firewall rules. Once you identify IPs you don't want sending
      mail, there are multiple choices to block them -- a local RBL makes
      sharing a blacklist within a farm very easy.

      This is relatively lightweight; client connects, postfix does a DNS
      lookup, client is rejected. As long as the client isn't making
      DoS-level connections this is reasonably efficient. Postscreen
      could do this with "before 220 tests", but is likely overkill.

      At some point you may want to do something more complex than the
      standard "reject_rbl_client ...", such as "this username can't
      connect from this range" or "don't ever block this user". You can
      do the more complex queries by using a policy service that consults
      the RBL and can also consider the IP and username used. This still
      allows the client to AUTH and adds that overhead, but is far more
      flexible. This could be combined with Fail2Ban or similar built
      into your policy service to temporarily firewall IPs that exceed
      some level of bad behavior.


      -- Noel Jones
    • Show all 8 messages in this topic