On May 23, 2012, at 15:35, Wietse Venema wrote: > Wietse Venema: >> Wietse Venema: >>> Maciej Uhlig: >>>> We run fail2ban to update postscreen blacklist which is cidr file. To >>>> make postscreen see the changes we have to reload postfix. Yesterday we >>>> found postfix was reloaded more than 3000 times. Sure it is not acceptable. >>> >>> Surely you don't have to reload it EVERY 30 SECONDS. What about >>> using a 5-minute time window. >> >> Or using RBLDNSD, and adjusting postscreen_dnsbl_ttl suitably. > > See also the detailed reply by DTNX Postmaster. > > A word of caution: postscreen is designed to avoid doing tests for > every client connection; the postscreen_dnsbl_ttl value determines > how long DNSBL results are cached so that a test can be skipped, > and setting the value too low can result in an unacceptable number > of postscreen cache updates. > > There currently is no way to say "don't update the postscreen cache > when a client passes test X" (X = DNSBL or PREGREET), or to have > different postscreen_dnsbl_ttl settings for different DNSBL providers. > Software doesn't grow on trees. It needs to be designed, built, > tested and documented.
I would suggest leaving the postscreen TTL at the default, unless you run into a scenario where the standard one (1) hour gives you trouble for some reason. Hasn't been an issue so far for us, and I reckon it won't be in most setups. For those rare situations where something needs to happen right now, you can drop something at the firewall, or reload Postfix. I rather like the fact that postscreen limits its scope, and doesn't try to be everything. Thank you for designing, building, testing and documenting reliable, predictable software :-) Cya, Jona
