On Fri, Apr 27, 2012 at 09:37:46AM -0700, kar...@mailcan.com wrote: > On Fri, Apr 27, 2012, at 05:32 PM, Jim Reid wrote: > > This is beginning to smell very > > much like something the DNS already provides for free. > > If that auto-expiry hash table functionality is not already build > into Postfix (which would be kind of nice to have for other things > to; may look into it cobbling it up anyway), then that's a good > point. At the moment, the only difference being the 'network > traffic' to/from the DNS server. Likely not much of a burden. I > could address it if need be by putting a caching DNS slave on the > same box as the Postfix server. Overkill, it sounds like.
It's never overkill to run a caching resolver on even a minor Postfix box. On the contrary, I'd say it's essential. One other comment: yes, you can do things to make any DNSBL hit a permanent cause for rejection. A simple approach would be to parse logs and populate a check_client_access map therefrom. But consider this: the TTL of a DNSBL listing is a feature. Sometimes legitimate sites will be listed, for example, in the CBL. Once they clean up the problem, do you still want to block them? -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
