syslog-ng.conf:

Sources:

s_postscreen { („/var/log/mail.log“); };

Destinations:

destination d_postscreen { file("/etc/postfix/auto_blocklist"); };

Logs:

log { source(s_postscreen); parser(p_blacklistParser); destination(d_console); };

Parser: 

parser p_blacklistParser{ python(class("MessageParser")); };

parser p_blacklistParser{
    python(
        class("MessageParser")
    );
};

python {
import re
class MessageParser(object):

    def init(self, options):
        pattern = options["regex"]
        self.regex = re.compile(pattern)
        self.counter = 0
        return True

    def deinit(self):
        pass

    def parse(self, log_message):
        decoded_msg = log_message['MESSAGE'].decode('utf-8')
        match = re.findall('(?:RCPT from |from=|to=|helo=)"?([^\s"]+)', s)
        if match:
            ip = match[0].split(":")
            ip = ip[0].strip("[]")
            sender = match[1].split("@")
            sender = sender[1].strip("<>,")
            rcpt = match[2].strip("<>,")
            helo = match[4].strip("<>,")
            fileString = ip + "\t" + "reject" + "\n"
            f=open("/etc/postfix/postscreen_access.cidr", "a+")
            f.write(fileString)
            f.close()
            return True
        return False
};