What do you do with <smtp> table in other rules? If you’re doing nothing, you
need to do something like block additional connections, or adjust the pass rule
to include from ! <smtp>
Run: pfctl -t smtp -T show
Does it show the offending IP? If so, the rule worked as you defined it.
> On May 27, 2020, at 8:30 AM, Walter Alejandro Iglesias <w...@roquesor.com>
> wrote:
>
> Another question about pf.
>
> Perhaps I don't fully understand how connection rate is calculated.
>
> The following line in /etc/pf.conf:
>
> pass in log inet proto tcp to any port { smtp smtps } synproxy state \
> (max-src-conn-rate 5/30, overload <smtp> flush global)
>
> Shouldn't avoid this happen?
>
> In /var/log/maillog
> ----------------------------------------------------
> May 27 10:55:05 server smtpd[30272]: 1a931fba4746f485 smtp connected
> address=192.119.68.113 host=hwsrv-733438.hostwindsdns.com
> May 27 10:55:06 server smtpd[30272]: 1a931fba4746f485 smtp failed-command
> command="RCPT TO:<danivela1...@gmail.com>" result="550 Invalid recipient:
> <danivela1...@gmail.com>"
> May 27 10:55:06 server smtpd[30272]: 1a931fba4746f485 smtp disconnected
> reason=disconnect
> May 27 10:55:06 server smtpd[30272]: 1a931fbbc5c841e4 smtp connected
> address=192.119.68.113 host=hwsrv-733438.hostwindsdns.com
> May 27 10:55:06 server smtpd[30272]: 1a931fbbc5c841e4 smtp failed-command
> command="RCPT TO:<danivela1...@gmail.com>" result="550 Invalid recipient:
> <danivela1...@gmail.com>"
> May 27 10:55:07 server smtpd[30272]: 1a931fbbc5c841e4 smtp disconnected
> reason=disconnect
> May 27 10:55:07 server smtpd[30272]: 1a931fbc9f586ee6 smtp connected
> address=192.119.68.113 host=hwsrv-733438.hostwindsdns.com
> May 27 10:55:07 server smtpd[30272]: 1a931fbc9f586ee6 smtp failed-command
> command="RCPT TO:<danivela1...@gmail.com>" result="550 Invalid recipient:
> <danivela1...@gmail.com>"
> May 27 10:55:07 server smtpd[30272]: 1a931fbc9f586ee6 smtp disconnected
> reason=disconnect
> May 27 10:55:07 server smtpd[30272]: 1a931fbdf6b23f59 smtp connected
> address=192.119.68.113 host=hwsrv-733438.hostwindsdns.com
>
> [...] Complete here with 311 entries with the same time interval.
>
> May 27 10:59:11 server smtpd[30272]: 1a9320f8f8726fab smtp disconnected
> reason=disconnect
> May 27 10:59:11 server smtpd[30272]: 1a9320f9e3e281ab smtp connected
> address=192.119.68.113 host=hwsrv-733438.hostwindsdns.com
> May 27 10:59:11 server smtpd[30272]: 1a9320f9e3e281ab smtp failed-command
> command="RCPT TO:<danivela1...@gmail.com>" result="550 Invalid recipient:
> <danivela1...@gmail.com>"
> May 27 10:59:12 server smtpd[30272]: 1a9320f9e3e281ab smtp disconnected
> reason=disconnect
> May 27 10:59:12 server smtpd[30272]: 1a9320fa851b3e31 smtp connected
> address=192.119.68.113 host=hwsrv-733438.hostwindsdns.com
> May 27 10:59:12 server smtpd[30272]: 1a9320fa851b3e31 smtp failed-command
> command="RCPT TO:<danivela1...@gmail.com>" result="550 Invalid recipient:
> <danivela1...@gmail.com>"
> May 27 10:59:12 server smtpd[30272]: 1a9320fa851b3e31 smtp disconnected
> reason=disconnect
> May 27 10:59:13 server smtpd[30272]: 1a9320fbe3f04434 smtp connected
> address=192.119.68.113 host=hwsrv-733438.hostwindsdns.com
> May 27 10:59:13 server smtpd[30272]: 1a9320fbe3f04434 smtp failed-command
> command="RCPT TO:<danivela1...@gmail.com>" result="550 Invalid recipient:
> <danivela1...@gmail.com>"
> May 27 10:59:13 server smtpd[30272]: 1a9320fbe3f04434 smtp disconnected
> reason=disconnect
> May 27 10:59:13 server smtpd[30272]: 1a9320fc4f172f88 smtp connected
> address=192.119.68.113 host=hwsrv-733438.hostwindsdns.com
> May 27 10:59:14 server smtpd[30272]: 1a9320fc4f172f88 smtp failed-command
> command="RCPT TO:<danivela1...@gmail.com>" result="550 Invalid recipient:
> <danivela1...@gmail.com>"
> ------------------------------------------------------
>
> A total of *323* connections from the same IP at less than a 1/4 second
> interval during more than four minutes.
>
