blacklistd vs blocklistd
0 views
Skip to first unread message
Doug Hardie
Feb 8, 2026, 12:13:53 PM (12 days ago) Feb 8
to ques...@freebsd.org
FreeBSD 15 had added blocklistd whereas previous versions had blocklistd. Apparently blocklistd is going to be the only one in the near future so we need to migrate to it. I tried that, and encountered the issue that postfix only supports blacklistd and ssh only supports blocklistd. As a result, a system that wants to use both cannot. Either one or the other works depending on which server is started.
I don't know if both can be run simultaneously since the database is in different files for both. What is the migration path for this other than waiting for postfix to be updated to blocklistd?
-- Doug
I don't know if both can be run simultaneously since the database is in different files for both. What is the migration path for this other than waiting for postfix to be updated to blocklistd?
-- Doug
Michael Grimm
Feb 8, 2026, 3:06:39 PM (12 days ago) Feb 8
to ques...@freebsd.org
Doug Hardie <bc...@lafn.org> wrote:
> FreeBSD 15 had added blocklistd whereas previous versions had blocklistd. Apparently blocklistd is going to be the only one in the near future so we need to migrate to it. I tried that, and encountered the issue that postfix only supports blacklistd and ssh only supports blocklistd. As a result, a system that wants to use both cannot. Either one or the other works depending on which server is started.
Hmm. I am running 15.0-STABLE and I don't have any issue with running blocklistd daemon. (I am using blocklistd because the removal of blacklistd will come.)
> FreeBSD 15 had added blocklistd whereas previous versions had blocklistd. Apparently blocklistd is going to be the only one in the near future so we need to migrate to it. I tried that, and encountered the issue that postfix only supports blacklistd and ssh only supports blocklistd. As a result, a system that wants to use both cannot. Either one or the other works depending on which server is started.
blocklistd runs perfectly well with both sshd and postfix(-current) on smtp and submission. Just use blocklistd_enable="YES" in your /etc/rc.conf and blocklistd should run as expected. And you need to rename your old /etc/blacklistd.conf into /etc/blocklistd.conf
Regards,
Michael
Doug Hardie
Feb 8, 2026, 5:02:42 PM (11 days ago) Feb 8
to Michael Grimm, ques...@freebsd.org
-- Doug
Michael Grimm
Feb 8, 2026, 5:16:13 PM (11 days ago) Feb 8
to ques...@freebsd.org
Doug Hardie <bc...@lafn.org> wrote:
>> On Feb 8, 2026, at 12:05, Michael Grimm <tras...@ellael.org> wrote:
>> Doug Hardie <bc...@lafn.org> wrote:
>>> I tried that, and encountered the issue that postfix only supports blacklistd and ssh only supports blocklistd. As a result, a system that wants to use both cannot. Either one or the other works depending on which server is started.
>> On Feb 8, 2026, at 12:05, Michael Grimm <tras...@ellael.org> wrote:
>> Doug Hardie <bc...@lafn.org> wrote:
>>> I tried that, and encountered the issue that postfix only supports blacklistd and ssh only supports blocklistd. As a result, a system that wants to use both cannot. Either one or the other works depending on which server is started.
>> blocklistd runs perfectly well with both sshd and postfix(-current) on smtp and submission. Just use blocklistd_enable="YES" in your /etc/rc.conf and blocklistd should run as expected. And you need to rename your old /etc/blacklistd.conf into /etc/blocklistd.conf
>
> The version of postfix in the packages still has blacklist.
Ah, now I see what you are referring to.
>
> The version of postfix in the packages still has blacklist.
But, that is just a lack in wording, respecting the upstream change of blocklistd sources. More or less a cosmetic issue in the Makefiles and patches in 'files' of all postfix ports.
The patches in the mail/postfix* ports are referencing the installed blocklistd sources in /usr/src!
Postfix becomes patched and postfix doesn't care whether you run blocklistd or blacklistd because both binaries are identical w.r.t to their functionality.
HTH and regards,
Michael
Dag-Erling Smørgrav
Feb 8, 2026, 6:43:52 PM (11 days ago) Feb 8
to Doug Hardie, ques...@freebsd.org
Doug Hardie <bc...@lafn.org> writes:
> FreeBSD 15 had added blocklistd whereas previous versions had
> blocklistd. [...] I tried that, and encountered the issue that
> FreeBSD 15 had added blocklistd whereas previous versions had
> postfix only supports blacklistd and ssh only supports blocklistd.
They are completely interchangeable and both Postfix and OpenSSH support
both.
DES
--
Dag-Erling Smørgrav - d...@FreeBSD.org
Doug Hardie
Feb 8, 2026, 8:22:57 PM (11 days ago) Feb 8
to Dag-Erling Smørgrav, ques...@freebsd.org
> On Feb 8, 2026, at 15:43, Dag-Erling Smørgrav <d...@FreeBSD.org> wrote:
>
> Doug Hardie <bc...@lafn.org> writes:
>> FreeBSD 15 had added blocklistd whereas previous versions had
>> blocklistd. [...] I tried that, and encountered the issue that
>> postfix only supports blacklistd and ssh only supports blocklistd.
>
> They are completely interchangeable and both Postfix and OpenSSH support
> both.
>
I switched back to blocklistd, but the previous blacklistd entries show with blocklistctl, but pfctl only finds 5 entries whereas before there were over 800. Also, I previously was seeing around 80 new blocking entries added every hour. Now I am seeing 2 in the pf tables.
>
> Doug Hardie <bc...@lafn.org> writes:
>> FreeBSD 15 had added blocklistd whereas previous versions had
>> blocklistd. [...] I tried that, and encountered the issue that
>> postfix only supports blacklistd and ssh only supports blocklistd.
>
> They are completely interchangeable and both Postfix and OpenSSH support
> both.
>
-- Doug
Dag-Erling Smørgrav
Feb 9, 2026, 10:55:20 AM (11 days ago) Feb 9
to Doug Hardie, ques...@freebsd.org
Doug Hardie <bc...@lafn.org> writes:
> I switched back to blocklistd, but the previous blacklistd entries
> show with blocklistctl, but pfctl only finds 5 entries whereas before
> there were over 800. Also, I previously was seeing around 80 new
> blocking entries added every hour. Now I am seeing 2 in the pf
> tables.
Switching from one to the other changes the name of the pf anchor. Did
> I switched back to blocklistd, but the previous blacklistd entries
> show with blocklistctl, but pfctl only finds 5 entries whereas before
> there were over 800. Also, I previously was seeing around 80 new
> blocking entries added every hour. Now I am seeing 2 in the pf
> tables.
you update your pf.conf accordingly, and are you sure you're looking at
the correct anchor and table? For instance, if running blocklistd, you
would use the following command to see blocked IPs:
sudo pfctl -a blocklistd/22 -t port22 -Ts
Doug Hardie
Feb 9, 2026, 11:08:13 AM (11 days ago) Feb 9
to Dag-Erling Smørgrav, ques...@freebsd.org
mail# pfctl -ablocklistd/587 -tport587 -Ts | wc -l
406
mail# pfctl -ablocklistd/25 -tport25 -Ts | wc -l
141
However, there are 900 entries in blocklists table. All of them are prior to switching to blocklist. Since then, everything is working properly. It's just that the preexisting entries never got put into pf even though I got hundreds of pf messages that I was adding an existing IP to the table. In about 9 hours, all of the missing entries will have been deleted from blocklist as they expire.
-- Doug
Dag-Erling Smørgrav
Feb 9, 2026, 12:16:54 PM (11 days ago) Feb 9
to Doug Hardie, ques...@freebsd.org
You'll have to explain what you mean by “blocklists table”.
Doug Hardie
Feb 9, 2026, 12:32:41 PM (11 days ago) Feb 9
to ques...@freebsd.org
> On Feb 9, 2026, at 09:16, Dag-Erling Smørgrav <d...@freebsd.org> wrote:
>
> Doug Hardie <bc...@lafn.org> writes:
>> However, there are 900 entries in blocklists table.
>
> You'll have to explain what you mean by “blocklists table”.
-- Doug
Reply all
Reply to author
Forward
0 new messages