Re: Blocklistd + postfix

[neitzel%hackett.marshlabs.gaertner.de@localhost (Martin Neitzel)]

Brook Milligan wrote:

BM> Does it make sense that failed SMTP authentication should trigger
BM> blocklistd events?

Basically yes.  I don't know, though, whether the trigger should
be implemented at the postfix level, the underlying SASL mechanism
used, or even the PAM framework.

And whether or not one makes use of it depends on the actual
circumstances, just like Greg already wrote.

I'd happily activate it on my personal mail server without any
problems.

On the mailservers we operate as an ISP for business customers,
it's a decision which can be tricky to balance.  It will always
happen that one user with an incorrect or outdated config will
trigger the block for all the colleagues working from behind the
same NAT address.  This can usually be resolved quickly enough for
a small customer with just, say, just 5 accounts;  with 20 mail
accounts, the odds of this happening just rise and the impact
becomes much worse.  In the best case, the mail customer is using
static addresses we can exempt from being blocked.

What irks me about blocklistd(8) is the lack of a way of correcting
such mishaps quickly.   blocklisctctl(8) should not just have the
current "dump" sub-command to investigate the blocked entries;
having some "release/cleanup" facilities would be a real bonus.
Restoring access directly with npfctl (or whatever is used) doesn't
feel right to me.

						Martin Neitzel