[pfx] Re: Masters.cf

Wed, 29 May 2024 04:26:50 -0700 


On 5/28/24 10:15 PM, John Hill via Postfix-users wrote:


On 5/28/24 10:11 PM, Viktor Dukhovni via Postfix-users wrote:

On Wed, May 29, 2024 at 11:58:31AM +1000, Viktor Dukhovni via 
Postfix-users wrote:



You might in fact want to reject XBL IPs early, before they even
attempt authentication.  So I have:

     465        inet  n       -       n       -       - smtpd
         -o smtpd_delay_reject=no

         -o {smtpd_client_restrictions=reject_rbl_client 
zen.spamhaus.org=127.0.0.4}

         -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
         ...

     submission inet  n       -       n       -       - smtpd
         -o smtpd_delay_reject=no

         -o {smtpd_client_restrictions=reject_rbl_client 
zen.spamhaus.org=127.0.0.4}
         -o 
smtpd_relay_restrictions=permit_sasl_authenticated,permit_mynetworks,reject



Example logs showing early enforcement for the above:

     postfix/smtps/smtpd[3583655]: connect from unknown[115.44.140.188]

     postfix/smtps/smtpd[3583655]: Anonymous TLS connection 
established from unknown[115.44.140.188]:

         TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

     postfix/smtps/smtpd[3583655]: NOQUEUE: reject: CONNECT from 
unknown[115.44.140.188]:
         554 5.7.1 Service unavailable; Client host [115.44.140.188] 
blocked using zen.spamhaus.org;
         Listed by XBL, see 
https://check.spamhaus.org/query/ip/115.44.140.188 /
         Listed by CSS, see 
https://check.spamhaus.org/query/ip/115.44.140.188; proto=SMTP
     postfix/smtps/smtpd[3583655]: lost connection after CONNECT from 
unknown[115.44.140.188]
     postfix/smtps/smtpd[3583655]: disconnect from 
unknown[115.44.140.188] commands=0/0



     postfix/submission/smtpd[3583513]: connect from 
burger.census.shodan.io[66.240.219.146]
     postfix/submission/smtpd[3583513]: NOQUEUE: reject: CONNECT from 
burger.census.shodan.io[66.240.219.146]:
         554 5.7.1 Service unavailable; Client host [66.240.219.146] 
blocked using zen.spamhaus.org;
         Listed by CSS, see 
https://check.spamhaus.org/query/ip/66.240.219.146 /
         Listed by XBL, see 
https://check.spamhaus.org/query/ip/66.240.219.146; proto=SMTP
     postfix/submission/smtpd[3583513]: lost connection after CONNECT 
from burger.census.shodan.io[66.240.219.146]
     postfix/submission/smtpd[3583513]: disconnect from 
burger.census.shodan.io[66.240.219.146] ehlo=0/1 commands=0/1



The wrapper-mode TLS "smtps" rejects are naturally after the TLS 
handshake.




   465        inet  n       -       n       -       -       smtpd
        -o smtpd_delay_reject=no

        -o {smtpd_client_restrictions=reject_rbl_client 
zen.spamhaus.org=127.0.0.4}

        -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
        ...

    submission inet  n       -       n       -       -       smtpd
        -o smtpd_delay_reject=no

        -o {smtpd_client_restrictions=reject_rbl_client 
zen.spamhaus.org=127.0.0.4}
        -o 
smtpd_relay_restrictions=permit_sasl_authenticated,permit_mynetworks,reject


All set up this way.
I will let it run overnight and see what hits.

Thank you
--john


Works like  a charm.

 1   SASL authentication failed ---

Only one.

Thanks everyone for putting up with me!!

--john




_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org





























					Reply via email to